New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 1033 link

Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Mar 2017

Sign in to add a comment

Safari Browser: Out-of-bounds read when calling bound function

Project Member Reported by, Dec 8 2016

Issue description

There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.

This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.

This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.

A minimal PoC is as follows, and a full PoC is attached.

var ba;

function s(){
	ba = this;

function dummy(){
	alert("just a function");

Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

405 bytes View Download
Project Member

Comment 1 by, Mar 9 2017

Labels: -Reported-2016-Dec-8 Reported-2016-Jan-5

Comment 2 by, Mar 16 2017

Labels: -Reported-2016-Jan-5 Reported-2017-Jan-5
Project Member

Comment 3 by, Mar 27 2017

Labels: -Restrict-View-Commit CVE-2017-2447
Status: Fixed (was: New)

Sign in to add a comment