The Tor Browser / annotate

js/src/tests/js1_5/extensions/regress-390598.js@b8a032363ba2 (annotated)

js/src/tests/js1_5/extensions/regress-390598.js

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
michael@0 2 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 3 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 5
michael@0 6
michael@0 7 //-----------------------------------------------------------------------------
michael@0 8 var BUGNUMBER = 390598;
michael@0 9 var summary = 'array_length_setter is exploitable';
michael@0 10 var actual = 'No Crash';
michael@0 11 var expect = 'No Crash';
michael@0 12
michael@0 13 //-----------------------------------------------------------------------------
michael@0 14 test();
michael@0 15 //-----------------------------------------------------------------------------
michael@0 16
michael@0 17 function test()
michael@0 18 {
michael@0 19 enterFunc ('test');
michael@0 20 printBugNumber(BUGNUMBER);
michael@0 21 printStatus (summary);
michael@0 22
michael@0 23 function exploit() {
michael@0 24 var fun = function () {};
michael@0 25 fun.__proto__ = [];
michael@0 26 fun.length = 0x50505050 >> 1;
michael@0 27 fun();
michael@0 28 }
michael@0 29 exploit();
michael@0 30
michael@0 31 reportCompare(expect, actual, summary);
michael@0 32
michael@0 33 exitFunc ('test');
michael@0 34 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial