JSTests/ChakraCore/test/Error/encodeoverflow.js - WebKit - Git at Google

 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------

 function get_n_copies_of(ch, n)
 {
     var powers = new Array();

     powers[0] = ch;
     for (var i = 1; (1<<i) < n; i++)
     {
         powers[i] = powers[i-1] + powers[i-1];
     }

     var out = '';

     for (var i = powers.length-1; i >= 0; i--)
     {
         if ((1 << i) > n)
             continue;

         out += powers[i];
         n -= (1 << i);
     }

     return out;
 }

 function exploit()
 {
     // The choice of character is somewhat important -- we need
     // something that expands out to 3 bytes in UTF-8 encoding.
     // In this case, U+20AC satisfies that requirement.
     var s1 = "\u20ac";
     var ss;

     try
     {
         ss = get_n_copies_of(s1, 477218589);
     }
     catch (e)
     {
         WScript.Echo("You don't have enough free memory or VA to run this -- you'll need as much as possible.");
         return;
     }

     WScript.Echo("SS length = " + ss.length + "<br/>");

     // encodeURI sums (3 * [number of UTF-8 bytes required]) for each character
     // Since we use a char with 3 bytes required, that means the encodeURI memory
     // allocation is 3 * 3 * 477218589 = 0x100000005.
     // This truncates when fit into a ulong to just 5.
     WScript.Echo(encodeURI(ss).length);
 }

 try {
 exploit();
 }
 catch (e)
 {
    WScript.Echo("Message: " + e.message);
 }
	//-------------------------------------------------------------------------------------------------------
	// Copyright (C) Microsoft. All rights reserved.
	// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
	//-------------------------------------------------------------------------------------------------------

	function get_n_copies_of(ch, n)
	{
	var powers = new Array();

	powers[0] = ch;
	for (var i = 1; (1<<i) < n; i++)
	{
	powers[i] = powers[i-1] + powers[i-1];
	}

	var out = '';

	for (var i = powers.length-1; i >= 0; i--)
	{
	if ((1 << i) > n)
	continue;

	out += powers[i];
	n -= (1 << i);
	}

	return out;
	}

	function exploit()
	{
	// The choice of character is somewhat important -- we need
	// something that expands out to 3 bytes in UTF-8 encoding.
	// In this case, U+20AC satisfies that requirement.
	var s1 = "\u20ac";
	var ss;

	try
	{
	ss = get_n_copies_of(s1, 477218589);
	}
	catch (e)
	{
	WScript.Echo("You don't have enough free memory or VA to run this -- you'll need as much as possible.");
	return;
	}

	WScript.Echo("SS length = " + ss.length + "<br/>");

	// encodeURI sums (3 * [number of UTF-8 bytes required]) for each character
	// Since we use a char with 3 bytes required, that means the encodeURI memory
	// allocation is 3 * 3 * 477218589 = 0x100000005.
	// This truncates when fit into a ulong to just 5.
	WScript.Echo(encodeURI(ss).length);
	}

	try {
	exploit();
	}
	catch (e)
	{
	WScript.Echo("Message: " + e.message);
	}