[ tor-browser ].git.dasho

bug2004509.js (935B)

      1 // |jit-test|
      2 
      3 load(libdir + "asserts.js");
      4 
      5 function assert(x)
      6 {
      7    if (x){
      8        return;
      9    }
     10    throw new Error("assertion failed");
     11 }
     12 
     13 function f() { return saveStack(); }
     14 function g() { return f(); }
     15 
     16 let stack = g();
     17 let clonebuf = serialize(stack, undefined, {scope: "DifferentProcess"});
     18 let data = clonebuf.clonebuffer;
     19 
     20 let boolPattern = String.fromCharCode(0x02, 0x00, 0xFF, 0xFF);
     21 let boolIndex = data.indexOf(boolPattern);
     22 assert(boolIndex >= 0);
     23 
     24 let stringPattern = String.fromCharCode(0x04, 0x00, 0xFF, 0xFF);
     25 let stringIndex = data.indexOf(stringPattern, boolIndex + 8);
     26 assert(stringIndex >= 0);
     27 
     28 // SCTAG_STRING -> SCTAG_INT32
     29 let corrupted = data.substring(0, stringIndex) +
     30                    String.fromCharCode(0x03, 0x00, 0xFF, 0xFF) +
     31                    data.substring(stringIndex + 4);
     32 
     33 let buf = serialize("dummy");
     34 buf.clonebuffer = corrupted;
     35 
     36 assertThrowsInstanceOf(() => deserialize(buf), Error);

	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE