[CVE-2018-0994] Edge - Submit a use after free bug to Edge - 360Vulcan

Author: akroshg

lib/Runtime/Library/JavascriptArray.cpp

@@ -2090,6 +2090,13 @@ namespace Js
         // Code below has potential to throw due to OOM or SO. Just FailFast on those cases
         AutoDisableInterrupt failFastError(scriptContext->GetThreadContext());
 
+#if defined(TARGET_32)
+        if (fArray->head && (fArray->head->size >= SparseArraySegmentBase::INLINE_CHUNK_SIZE / shrinkFactor))
+        {
+            CopyHeadIfInlinedHeadSegment<double>(fArray, recycler);
+        }
+#endif
+
         for (seg = fArray->head; seg; seg = nextSeg)
         {
             nextSeg = seg->next;
@@ -5320,6 +5327,8 @@ namespace Js
             AnalysisAssert(array->head);
             SparseArraySegment<T>* newHeadSeg = array->ReallocNonLeafSegment((SparseArraySegment<T>*)PointerValue(array->head), array->head->next);
             array->head = newHeadSeg;
+            array->InvalidateLastUsedSegment();
+            array->ClearSegmentMap();
         }
     }
 

lib/Runtime/Library/JavascriptArray.h

@@ -549,6 +549,8 @@ namespace Js
         void SetHeadAndLastUsedSegment(SparseArraySegmentBase * segment);
         void SetLastUsedSegment(SparseArraySegmentBase * segment);
         bool HasSegmentMap() const;
+        template<typename T>
+        static void CopyHeadIfInlinedHeadSegment(JavascriptArray *array, Recycler *recycler);
 
     private:
         void SetSegmentMap(SegmentBTreeRoot * segmentMap);
@@ -584,8 +586,6 @@ namespace Js
 
         virtual int32 HeadSegmentIndexOfHelper(Var search, uint32 &fromIndex, uint32 toIndex, bool includesAlgorithm, ScriptContext * scriptContext);
 
-        template<typename T>
-        static void CopyHeadIfInlinedHeadSegment(JavascriptArray *array, Recycler *recycler);
         template<typename T>
         static void ReallocateNonLeafLastSegmentIfLeaf(JavascriptArray * arr, Recycler * recycler);