mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-07-08 01:51:57 +00:00
f5a6704219
Currently, we create `this_argument` with `ordinary_create_from_constructor`, then we use `arguments_list` to build the callee_context. The issue is we don't properly model the side-effects of `ordinary_create_from_constructor`, if `new_target` is a proxy object then when we `get` the prototype, arbitrary javascript can run. This javascript could perform a function call with enough arguments to reallocate the interpreters m_argument_values_buffer vector. This is dangerous and leads to a use-after-free, as our stack frame maintains a pointer to m_argument_values_buffer (`arguments_list`).
33 lines
1.1 KiB
JavaScript
33 lines
1.1 KiB
JavaScript
test("Proxied constructor should handle argument_buffer reallocation during prototype get()", () => {
|
|
function foo() {}
|
|
|
|
let handler = {
|
|
get() {
|
|
// prettier-ignore
|
|
foo(
|
|
// make extra sure we trigger a reallocation
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
|
|
0x41, 0x41, 0x41, 0x41, 0x41, 0x41
|
|
);
|
|
|
|
return null;
|
|
},
|
|
};
|
|
|
|
function Construct() {
|
|
// later use dangling pointer
|
|
console.log(arguments);
|
|
}
|
|
|
|
let ConstructProxy = new Proxy(Construct, handler);
|
|
|
|
new ConstructProxy(0x1);
|
|
});
|