WebKit JSC ObjectPatternNode::appendEntry Use-After-Free

2017.07.25
Credit: ifratric
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

WebKit: JSC: Stack-Use-After-Free in ObjectPatternNode::appendEntry Here's a snippet of ObjectPatternNode::appendEntry. void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType) { m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType }); } Here's the definition of Entry. struct Entry { const Identifier& propertyName; ExpressionNode* propertyExpression; bool wasString; DestructuringPatternNode* pattern; ExpressionNode* defaultValue; BindingType bindingType; }; The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method. PoC: var {[a]: b, ...[]} = {}; This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top