1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/tests/js1_5/extensions/regress-390598.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,34 @@
1.4 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.6 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.8 +
1.9 +
1.10 +//-----------------------------------------------------------------------------
1.11 +var BUGNUMBER = 390598;
1.12 +var summary = 'array_length_setter is exploitable';
1.13 +var actual = 'No Crash';
1.14 +var expect = 'No Crash';
1.15 +
1.16 +//-----------------------------------------------------------------------------
1.17 +test();
1.18 +//-----------------------------------------------------------------------------
1.19 +
1.20 +function test()
1.21 +{
1.22 + enterFunc ('test');
1.23 + printBugNumber(BUGNUMBER);
1.24 + printStatus (summary);
1.25 +
1.26 + function exploit() {
1.27 + var fun = function () {};
1.28 + fun.__proto__ = [];
1.29 + fun.length = 0x50505050 >> 1;
1.30 + fun();
1.31 + }
1.32 + exploit();
1.33 +
1.34 + reportCompare(expect, actual, summary);
1.35 +
1.36 + exitFunc ('test');
1.37 +}
