OOB-holes in Array.prototype.indexOf
Reported by
hit.lius...@gmail.com,
Oct 24
|
||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36
Steps to reproduce the problem:
poc:
arr = [{},{}];
from = {};
from.valueOf = ()=>{arr.pop()};
arr.indexOf([], from);
What is the expected behavior?
static Maybe<int64_t> IndexOfValueImpl(
...
length = std::min(static_cast<uint32_t>(elements_base->length()), length);//
...
for (uint32_t k = start_from; k < length; ++k) {
if (value->StrictEquals(elements->get(k))) return Just<int64_t>(k);//.................(a)
}
...
What went wrong?
I think whether the element at position k is a hole should be checked before getting its value
Did this work before? N/A
Chrome version: 70.0.3538.67 Channel: stable
OS Version: 10.0
Flash Version:
,
Oct 24
I am not sure if this is a security issue or a bug, please adjust it according to the situation.
,
Oct 25
,
Oct 25
,
Oct 31
Tried testing the issue on chrome reported version# 70.0.3538.67 using Windows-10 with steps mentioned below:
1) Launched chrome reported version and Opened Devtools > Console
2) Executed below code in console
arr = [{},{}];
from = {};
from.valueOf = ()=>{arr.pop()};
arr.indexOf([], from);
seen response as '-1'
@Reporter: Please find the attached screenshot for your reference and provide your feedback on it. If possible could you please provide screencast of the issue which help in better understanding it.
Thanks!
|
||||
►
Sign in to add a comment |
||||
Comment 1 Deleted