CVE-2018-4442

/* The doesGC function simply takes a node, and tells if it might cause a garbage collection This function is used to determine whether to insert write barriers But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings As a result, it can lead to UaF PoC: */ function gc() { for (let i = 0; i < 10; ...

The doesGC function simply takes a node, and tells if it might cause a garbage collection This function is used to determine whether to insert write barriers But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings As a result, it can lead to a use-after-free conditio ...

<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2018-12-05-1 iOS 1211 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Product Security v ...

<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2018-12-06-1 watchOS 512 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Product Securit ...

<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2018-12-05-6 iCloud for Windows 79 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Apple Produc ...