This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//////////////////////////////////////////////////////////////////////////// | |
// | |
// The vulnerability was that the following line of code could change the type of the | |
// underlying Array from JavascriptNativeIntArray to JavascriptArray: | |
// | |
// spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE; | |
// | |
// As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed | |
// was removed. If the aItem then is not a JavascriptArray, the following code path is taken: | |
// else |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
___ ____ ______ __ | |
/ | / __ \/ ___/ | / / | |
/ /| |/ / / /\__ \| | / / | |
/ ___ / /_/ /___/ /| |/ / | |
/_/__||||||_//____/ |___/__ _____ __ _ __ | |
/ ____/ /_ ___ _____/ /_/ ___// /_ (_) /_ | |
/ / / __ \/ _ \/ ___/ __/\__ \/ __ \/ / __/ | |
/ /___/ / / / __/ /__/ /_ ___/ / / / / / /_ | |
\____/_/ /_/\___/\___/\__//____/_/ /_/_/\__/ |