Created attachment 285614 [details]
A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it.
This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again.
Created attachment 285617 [details]
Fix for use after free
Fixed in 183570
Fix committed in r183570 <https://trac.webkit.org/changeset/183570/>.
Note: We should turn the exploit example into a test case so we can guard against this in the future.
Test case added:
Committed in r204344 <https://trac.webkit.org/changeset/204344>.
This fix shipped a few years ago, opening for public access.