Open l0kihardt opened 6 years ago
fuzz-1.zip attached the poc html for the convenience of you
Thanks for reporting this. This repo was unofficially deprecated on Oct 5 when we started switching to https://github.com/brave/brave-browser/ and we are now actively migrating users off of it
Operating system: brave-v8.1.8-linux-x64.zip Linux ubuntu 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux ubuntu 18.04
Steps to reproduce
r /path/to/demo.html
if you want to get to the function before 0x3799940, you can use the gdb script I uploaded.
Basic info
So the bug actually happens at the base::internal::Invoker<base::internal::BindState<void (*)> when it tries to bind a callback function, which is the 0x2D412E0
the obj it passed to this function has been freed before Invoker has been called, so that a2->qword28 + a2->qword30 is NULL. which caused a NULL pointer dereference eventually.