VULNERABILITY DETAILS
There is a memory corruption vulnerability in chrome that can be triggered by using TypedArray.copyWithin in a way that will crash the tab, because of a crash on the Chrome Helper for that tab. It may be possible to exploit this vulnerability to perform arbitrary code execution on people that visit a website with the payload.

VERSION
Chrome Version: 53.0.2785.143
Operating System: Mac OS X 10.11.6

REPRODUCTION CASE
This could be used to execute code in a victim's machine when they visit your website. I attached a PoC with the necessary code to trigger this vulnerability. It is a memory corruption vulnerability. Just open the html file in chrome and it will crash because of memory corruption. Note: Repeted exploitation of this bug causes main Chrome process to crash because of a Segmentation Fault. Info attached.
HTML File:

<html>
<body>
<script>

var q = new ArrayBuffer(2147479551);
var o = {valueOf : !true}
var a = new Uint8Array(q);
 
var d = a.copyWithin(true, a, true);
console.log(d)
 
</script>
</body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Client ID (if relevant): [see link above]
Crash ID 83a01800-e998-4a23-80b4-3fbfa7adafca


 

Deleted: Google Chrome_2016-10-12-155454_pabster.crash 91.2 KB

Google Chrome_2016-10-12-155454_pabster.crash 91.2 KB Download