- slice() – The Blob interface’s slice() method creates and returns a new Blob object which contains data from a subset of the blob on which it’s called.
Background: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. By far the most commonly used API defined by Mojo, the C++ Bindings API exposes a robust set of features for interacting with message pipes via generated C++ bindings code.
Vulnerability details: Insufficient data validation in Mojo. Google has confirmed an exploit for the bug exists in the wild, making the vulnerability a zero-day security issue. Attacker can exploit the bug by feeding a malicious input.
Official announcement – Stable Channel Update for Desktop (Friday, September 2, 2022) – https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html
My observation: Refer to attached diagram. Is it possible to trigger the vulnerability in this situations?