michael@0: /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: 
michael@0: //-----------------------------------------------------------------------------
michael@0: var BUGNUMBER = 390598;
michael@0: var summary = 'array_length_setter is exploitable';
michael@0: var actual = 'No Crash';
michael@0: var expect = 'No Crash';
michael@0: 
michael@0: //-----------------------------------------------------------------------------
michael@0: test();
michael@0: //-----------------------------------------------------------------------------
michael@0: 
michael@0: function test()
michael@0: {
michael@0:   enterFunc ('test');
michael@0:   printBugNumber(BUGNUMBER);
michael@0:   printStatus (summary);
michael@0:  
michael@0:   function exploit() {
michael@0:     var fun = function () {};
michael@0:     fun.__proto__ = [];
michael@0:     fun.length = 0x50505050 >> 1;
michael@0:     fun();
michael@0:   }
michael@0:   exploit();
michael@0: 
michael@0:   reportCompare(expect, actual, summary);
michael@0: 
michael@0:   exitFunc ('test');
michael@0: }