Home Explore Help
Sign In
SunnyMirror
/
ChakraCore
mirror of https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Files Issues 0 Wiki
Branch: builtins
Branches Tags
ChakraCore
/
test
/
Error
/
encodeoverflow.js

encodeoverflow.js 1.7 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. //-------------------------------------------------------------------------------------------------------
    2. 

  2. // Copyright (C) Microsoft. All rights reserved.
    3. 

  3. // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
    4. 

  4. //-------------------------------------------------------------------------------------------------------
    5. 

  5. 

  6. function get_n_copies_of(ch, n)
    7. 

  7. {
    8. 

  8.     var powers = new Array();
    9. 

  9. 

  10.     powers[0] = ch;
    11. 

  11.     for (var i = 1; (1<<i) < n; i++)
    12. 

  12.     {
    13. 

  13.         powers[i] = powers[i-1] + powers[i-1];
    14. 

  14.     }
    15. 

  15. 

  16.     var out = '';
    17. 

  17. 

  18.     for (var i = powers.length-1; i >= 0; i--)
    19. 

  19.     {
    20. 

  20.         if ((1 << i) > n)
    21. 

  21.             continue;
    22. 

  22. 

  23.         out += powers[i];
    24. 

  24.         n -= (1 << i);
    25. 

  25.     }
    26. 

  26. 

  27.     return out;
    28. 

  28. }
    29. 

  29. 

  30. function exploit()
    31. 

  31. {
    32. 

  32.     // The choice of character is somewhat important -- we need
    33. 

  33.     // something that expands out to 3 bytes in UTF-8 encoding.
    34. 

  34.     // In this case, U+20AC satisfies that requirement.
    35. 

  35.     var s1 = "\u20ac";
    36. 

  36.     var ss;
    37. 

  37.  
    38. 

  38.     try
    39. 

  39.     {
    40. 

  40.         ss = get_n_copies_of(s1, 477218589);
    41. 

  41.     }
    42. 

  42.     catch (e)
    43. 

  43.     {
    44. 

  44.         WScript.Echo("You don't have enough free memory or VA to run this -- you'll need as much as possible.");
    45. 

  45.         return;
    46. 

  46.     }
    47. 

  47.     
    48. 

  48.     WScript.Echo("SS length = " + ss.length + "<br/>");
    49. 

  49. 

  50.     // encodeURI sums (3 * [number of UTF-8 bytes required]) for each character
    51. 

  51.     // Since we use a char with 3 bytes required, that means the encodeURI memory
    52. 

  52.     // allocation is 3 * 3 * 477218589 = 0x100000005.
    53. 

  53.     // This truncates when fit into a ulong to just 5.
    54. 

  54.     WScript.Echo(encodeURI(ss).length);
    55. 

  55. }
    56. 

  56. 

  57. try {
    58. 

  58. exploit();
    59. 

  59. }
    60. 

  60. catch (e)
    61. 

  61. {
    62. 

  62.    WScript.Echo("Message: " + e.message);
    63. 

  63. }
    64.