WebKit JSC ObjectPatternNode::appendEntry Use-After-Free

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1036966 漏洞类型
发布时间 2017-07-25 更新时间 2017-07-25
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2017070164
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
 WebKit: JSC: Stack-Use-After-Free in ObjectPatternNode::appendEntry 




Here's a snippet of ObjectPatternNode::appendEntry.

void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
    m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}

Here's the definition of Entry.

struct Entry {
    const Identifier& propertyName;
    ExpressionNode* propertyExpression;
    bool wasString;
    DestructuringPatternNode* pattern;
    ExpressionNode* defaultValue;
    BindingType bindingType;
};

The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.

PoC:
var {[a]: b, ...[]} = {};



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt