New issue
Advanced search Search tips

Issue 898449 link

Starred by 1 user

Issue metadata

Status: Unconfirmed
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

OOB-holes in Array.prototype.indexOf

Reported by hit.lius...@gmail.com, Oct 24

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce the problem:
poc:
arr = [{},{}];
from = {};
from.valueOf = ()=>{arr.pop()};
arr.indexOf([], from);

What is the expected behavior?
static Maybe<int64_t> IndexOfValueImpl(
...
    length = std::min(static_cast<uint32_t>(elements_base->length()), length);//
...
    for (uint32_t k = start_from; k < length; ++k) {
      if (value->StrictEquals(elements->get(k))) return Just<int64_t>(k);//.................(a)
    }
...

What went wrong?
I think whether the element at position k is a hole should be checked before getting its value

Did this work before? N/A 

Chrome version: 70.0.3538.67  Channel: stable
OS Version: 10.0
Flash Version:
 

Comment 1 Deleted

I am not sure if this is a security issue or a bug, please adjust it according to the situation.
Labels: Needs-Triage-M70
Components: -Blink Blink>JavaScript
Cc: viswa.karala@chromium.org
Labels: Triaged-ET Needs-Feedback
Tried testing the issue on chrome reported version# 70.0.3538.67 using Windows-10 with steps mentioned below:
1) Launched chrome reported version and Opened Devtools > Console
2) Executed below code in console
arr = [{},{}];
from = {};
from.valueOf = ()=>{arr.pop()};
arr.indexOf([], from);
seen response as '-1'

@Reporter: Please find the attached screenshot for your reference and provide your feedback on it. If possible could you please provide screencast of the issue which help in better understanding it.

Thanks!
898449.PNG
94.4 KB View Download

Comment 6 Deleted

Sign in to add a comment