JSC JIT Out-Of-Bounds Access
Posted by deepcore on June 4, 2020 – 5:13 pm
The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations (and vice versa) during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations.
Post a reply
You must be logged in to post a comment.