Part II analysing the Coruna 'buffout' WebKit exploit - getting R/W using a fake JSArray youtube.com/watch?v=4bWaI4fr…

Sony removed the JSArray::fastFill function from JSArray.cpp, or perhaps it was never added in the first place. People aren’t going to understand, lol.

[454485895][reward: $50000] Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects crbug.com/454485895

[449413023, 441221573][sandbox] Avoid using signed string lengths in ArrayPrototypeJoin (namely in JSArray::ArrayJoinConcatToSequentialString) and enable implicit sign conversion warnings for respective piece of code chromium-review.googlesource…

First impressions working with Kotlin/WASM: It's in alpha and it shows The types that come with /WASM are not intuitive. It seems like there is a duplication of types between Kotlin and /WASM, ie JsAny, JsString, JsArray, etc. There is no `dynamic` type here like /JS. This is problematic because working with APIs that are defined in /WASM (such as 3rd party libs) force you to strongly type them. This makes browser interop a PITA Here is defining a 3rd party library on /WASM: And to call it you do: which is 'ok', but I don't want to have to strongly type 3rd party dependencies, because I need to find the signature of the 3rd API and also maintain the bindings myself. When I am prototyping things, I want to be able to move fast so that I can check if a solution works for me or not. However the performance I get on a Compose app is INSANE compared to Kotlin/JS target It feels close to running the desktop version of my app

🤔 [array] Improve JSArray capacity changes chromium-review.googlesource…

any flutter peeps, can someone solve this bullshit conversion error, claude is done with this. error: Generic Exception: TypeError: Instance of 'JSArray<dynamic>': type 'List<dynamic>' is not a subtype of type 'List<String>' app write service implementation:

"Learn how to use the `fill()` method in JavaScript #JavaScript #CodingTips #WebDevelopment #ArrayMethods #JavaScriptTricks #LearnProgramming #CodeWithMe #DeveloperTips #JSArray #ProgrammingTutorial #TechTutorial #FrontendDevelopment #JSMethods #Shorts

JavaScript: Type Conversion Full Article: rustcodeweb.com/2024/08/type… #array #jsarray #WebDesign #programminghelp #codingeverywhere #codinglife #CodingChallenge #Coding #html #css #htmlcss #html5 #css3 #operator #webdevelopment #JavaScript #WebDevelopment #JS #Programming

They use the technique in the @DarkNavyOrg blog post to type confuse a JSProxy with a JSArray. The target field of the proxy is an ArrayBuffer - this field happens to overlap with the JSArray's elements field. Then u just overwrite ArrayBuffer's length.

Turns out you can craft a valid JSArray using only the map address, e.g. with map 0x0018efb9, any 4 byte offset into the following is a valid(ish) JSarray: 0x0018efb90018efb9, 0x0018efb90018efb9, 0x0018efb90018efb9, 0x0018efb90018efb9 Makes spraying potentially more reliable 🤔

🤔 [267036][Clone(De)Serializer]Should crash when deserializing JSArray object containing named property length. `length` is treated as a special property in JSArray. There shouldn't be any named property `length` in JSArray bugs.webkit.org/show_bug.cgi… commits.webkit.org/276108@ma…

[324482838][maglev] Fix sandbox violation when allocating an empty array. Initial JSArray map shouldn't have any in-object properties. chromium-review.googlesource… Added check to verify that this was not mutated by an attacker: SBXCHECK_EQ(map.GetInObjectProperties(), 0);

Mastering JavaScript arrays is essential for devs! Here are 10 powerful filtering methods to level up your skills! tinyurl.com/354r5k2v @CsharpCorner #JavaScript #CodingTips #WebDev #JSArray #Coding #JSFilters #tuesdayvibe #programming

Chrome In-The-Wild type confusion vulnerability used in the Android Exploit Chain to install Predator on Android devices in Egypt (CVE-2023-4762 [1473247]) happens during handling of growing a non-JSArray packed elements kind within turbofan: chromium.googlesource.com/v8…

Crash in v8::internal::JSArray::ArrayJoinConcatToSequentialString crbug.com/1420860

Yeah and the Array.map impl is somewhat optimized github.com/facebook/hermes/b… (e.g. JSArray::setElementAt is faster than JSObject::setComputedProperty.... which is what would be called when you do `arr[i] = foo`)

All the manticore team did was take theori_io exploit and copied it to their GitHub and announced they was making a jailbreak… in reality they didn’t add anything at all to the Original POC. No faking JSArray nor Arbitrary r/w…. Part 2.

I find it weird how on iOS 15.3.1 when overwriting the backing butterfly of an array it falls in JS VM Gigacage and triggers a crash/log JSarray objects have never been gigacaged before?!!

Well I tried to fake wasm at forest but turns out it’s gigacaged now but I worked arround it by faking a jsarray