Tag: V8

JavaScriptEngine V8 JIT OutOfBound SideEffect

V8漏洞分析 - BUG-880207 Math.expm1进行JIT未正确处理-0类型

Issue 880207: Security: incorrect type information on Math.expm1 https://bugs.chromium.org/p/chromium/issues/detail?id=880207 这个漏洞一共有三个补丁，按照时间顺序排列如下 commit 56f7dda67fdc9777719f7...

November 18, 2019

Keep Reading

JavaScriptEngine V8 OutOfBound SideEffect

V8漏洞分析 - BUG-821137 Array.from OOB

Issue 821137: OOB read/write using Array.prototype.from https://bugs.chromium.org/p/chromium/issues/detail?id=821137 Poc let oobArray = []; Array.from.call(function() { return ...

April 16, 2019

Keep Reading