[CVE-2018-8505] Edge - Chakra::TypeConfusion_8_16 JIT - Qihoo 360

rajatd · Thomas Moore (CHAKRA) · commit 08f11df45aef · 2018-10-08T11:29:27.000-07:00
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -4950,13 +4950,18 @@ using namespace Js;
                 }
                 else if (instanceType == TypeIds_NativeIntArray)
                 {
-                    // Only accept tagged int. Also covers case for MissingItem
+                    // Only accept tagged int.
                     if (!TaggedInt::Is(value))
                     {
                         return false;
                     }
                     int32 intValue = 0;
                     if (!MemsetConversion<int32, JavascriptConversion::ToInt32>(value, scriptContext, &intValue))
+                    {
+                        return false;
+                    }
+                     // Special case for missing item
+                    if (SparseArraySegment<int32>::IsMissingItem(&intValue))
                     {
                         return false;
                     }
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -3424,16 +3424,12 @@ using namespace Js;
             {
                 if (TaggedInt::Is(aItem))
                 {
-                    pDestArray->DirectSetItemAt(idxDest, TaggedInt::ToInt32(aItem));
+                    int32 int32Value = TaggedInt::ToInt32(aItem);
+                    Assert(!SparseArraySegment<int32>::IsMissingItem(&int32Value));
+                    pDestArray->DirectSetItemAt(idxDest, int32Value);
                 }
                 else
                 {
-#if DBG
-                    int32 int32Value;
-                    Assert(
-                        JavascriptNumber::TryGetInt32Value(JavascriptNumber::GetValue(aItem), &int32Value) &&
-                        !SparseArraySegment<int32>::IsMissingItem(&int32Value));
-#endif
                     pDestArray->DirectSetItemAt(idxDest, static_cast<int32>(JavascriptNumber::GetValue(aItem)));
                 }
                 ++idxDest;

Original file line number	Diff line number	Diff line change
`@@ -4950,13 +4950,18 @@ using namespace Js;`
`4950`	`4950`	`}`
`4951`	`4951`	`else if (instanceType == TypeIds_NativeIntArray)`
`4952`	`4952`	`{`
`4953`		`- // Only accept tagged int. Also covers case for MissingItem`
	`4953`	`+ // Only accept tagged int.`
`4954`	`4954`	`if (!TaggedInt::Is(value))`
`4955`	`4955`	`{`
`4956`	`4956`	`return false;`
`4957`	`4957`	`}`
`4958`	`4958`	`int32 intValue = 0;`
`4959`	`4959`	`if (!MemsetConversion<int32, JavascriptConversion::ToInt32>(value, scriptContext, &intValue))`
	`4960`	`+ {`
	`4961`	`+ return false;`
	`4962`	`+ }`
	`4963`	`+ // Special case for missing item`
	`4964`	`+ if (SparseArraySegment<int32>::IsMissingItem(&intValue))`
`4960`	`4965`	`{`
`4961`	`4966`	`return false;`
`4962`	`4967`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3424,16 +3424,12 @@ using namespace Js;`
`3424`	`3424`	`{`
`3425`	`3425`	`if (TaggedInt::Is(aItem))`
`3426`	`3426`	`{`
`3427`		`- pDestArray->DirectSetItemAt(idxDest, TaggedInt::ToInt32(aItem));`
	`3427`	`+ int32 int32Value = TaggedInt::ToInt32(aItem);`
	`3428`	`+ Assert(!SparseArraySegment<int32>::IsMissingItem(&int32Value));`
	`3429`	`+ pDestArray->DirectSetItemAt(idxDest, int32Value);`
`3428`	`3430`	`}`
`3429`	`3431`	`else`
`3430`	`3432`	`{`
`3431`		`-#if DBG`
`3432`		`- int32 int32Value;`
`3433`		`- Assert(`
`3434`		`- JavascriptNumber::TryGetInt32Value(JavascriptNumber::GetValue(aItem), &int32Value) &&`
`3435`		`- !SparseArraySegment<int32>::IsMissingItem(&int32Value));`
`3436`		`-#endif`
`3437`	`3433`	`pDestArray->DirectSetItemAt(idxDest, static_cast<int32>(JavascriptNumber::GetValue(aItem)));`
`3438`	`3434`	`}`
`3439`	`3435`	`++idxDest;`