Académique Documents
Professionnel Documents
Culture Documents
float* []
1.0
CVE-2015-3039
var filter = new ConvolutionFilter(...);
var n = { valueOf : ts };
var a = [];
a[0] = n;
filter.matrix = a;
function ts(){
filter.matrix = [1];
}
CVE-2015-3039
var filter = new ConvolutionFilter(...);
var n = { valueOf : ts };
var a = [];
a[0] = n;
filter.matrix = a;
function ts(){
filter.matrix = [1];
}
Array.species
“But what if I subclass an array and slice it, and I want the thing I
get back to be a regular Array and not the subclass?”
if (JavascriptConversion::ToBoolean(selected, scriptContext))
{
// Try to fast path if the return object is an array
if (newArr)
{
newArr->DirectSetItemAt(i, element);
Array.species, etc.
● Old code
● Context issue
Android WebView Issues
● Misuse
● Extra features
● Lack of updates
● Unexpected interactions
CVE-2916-4117 (666)
● Android libraries
○ WebView
○ Media
○ Qualcomm
○ Linux
Lack of Updates
Prevention
http://googleprojectzero.blogspot.com/
@natashenka
natalie@natashenka.ca