[CVE-2018-8467] Edge - Chakra type confusion - Google, Inc.

pleath · MikeHolman · commit 07a72e2849aa · 2018-09-11T09:46:30.000-07:00
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -1915,6 +1915,10 @@ GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)
                 }
             }
             break;
+        case Js::TypeIds_NativeIntArray:
+        case Js::TypeIds_NativeFloatArray:
+            // Do not mark these values as definite to protect against array conversion
+            break;
         case Js::TypeIds_Array:
             // Because array can change type id, we can only make it definite if we are doing array check hoist
             // so that implicit call will be installed between the array checks.

Original file line number	Diff line number	Diff line change
`@@ -1915,6 +1915,10 @@ GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)`
`1915`	`1915`	`}`
`1916`	`1916`	`}`
`1917`	`1917`	`break;`
	`1918`	`+ case Js::TypeIds_NativeIntArray:`
	`1919`	`+ case Js::TypeIds_NativeFloatArray:`
	`1920`	`+ // Do not mark these values as definite to protect against array conversion`
	`1921`	`+ break;`
`1918`	`1922`	`case Js::TypeIds_Array:`
`1919`	`1923`	`// Because array can change type id, we can only make it definite if we are doing array check hoist`
`1920`	`1924`	`// so that implicit call will be installed between the array checks.`