Tags: js v8 pwn pwnable 


Thanks to the crbug url we can find the bug regression test.
After analysing poc we deduce we can have two Arrays with JS Elements to the same addr (size > 0) which is an amazing property.
So we can leak and prepare a fake ArrayBuffer.
the next steps:
1. leaking a function add.
2. leaking JIT addr.
3. Writing shellcode.
4. Pwn!

Original writeup (https://pastebin.com/frnxKrEh).