Tag: JavaScriptEngine

JavaScriptEngine JavaScriptCore SideEffect

JavaScriptCore漏洞分析 - Bug-191731 RegExp.lastIndex Side-Effect

0x00 环境配置 环境配置:Ubuntu 18.04 x86_64,默认安装完成后升级最新的库,按照正常流程编译 Bug 191731: RegExp operations should not take fast patch if lastIndex is not numeric. https://bugs.webkit.org/show_bug.c...

Keep Reading
JavaScriptEngine V8 JIT OutOfBound SideEffect

V8漏洞分析 - BUG-880207 Math.expm1进行JIT未正确处理-0类型

Issue 880207: Security: incorrect type information on Math.expm1 https://bugs.chromium.org/p/chromium/issues/detail?id=880207 这个漏洞一共有三个补丁,按照时间顺序排列如下 commit 56f7dda67fdc9777719f7...

Keep Reading
JavaScriptEngine V8 OutOfBound SideEffect

V8漏洞分析 - BUG-821137 Array.from OOB

Issue 821137: OOB read/write using Array.prototype.from https://bugs.chromium.org/p/chromium/issues/detail?id=821137 Poc let oobArray = []; Array.from.call(function() { return ...

Keep Reading