js/xpconnect/crashtests/509075-1.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <script>

    var txt = document.createTextNode("");
    var b = document.createElement("b");
    var w = b["watch"];
    var txtdg = txt["__lookupGetter__"];
    w["__defineGetter__"]("toString",txtdg);
    var obj = {
      variable: 910,
      fun: function() {
        w["toString"]();
      }
    };

    function vuln()
    {
      window.status = "" + obj.variable;
      try{
        obj.fun();
      }catch(er){}
      return obj;
    }

    var ret = vuln();
  </script>
</html>