Tags: spidermonkey pwn firefox 


2 element overflow in Array when it is JIT compiled. We can use this to overwrite the group and the shape of a Uint8Array to that of a Uint32Array to obtain a larger and a more controlled overflow in a typed array. Full write up [here](https://blog.bi0s.in/2019/10/09/Pwn/Browser-Exploitation/inctf-ateles-writeup/)

Original writeup (https://blog.bi0s.in/2019/10/09/Pwn/Browser-Exploitation/inctf-ateles-writeup/).