[CVE-2019-1107] Chakra JIT Type Confusion FinishOptPropOp

pleath · atulkatti · commit 214dec9461f9 · 2019-07-01T12:09:28.000-07:00
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -410,6 +410,14 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
         if (inGlobOpt)
         {
             KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+            if (this->objectTypeSyms)
+            {
+                if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)
+                {
+                    this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);
+                }
+                this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);
+            }
         }
 
         // fall through

Original file line number	Diff line number	Diff line change
`@@ -410,6 +410,14 @@ GlobOpt::ProcessFieldKills(IR::Instr instr, BVSparse<JitArenaAllocator> bv, bo`
`410`	`410`	`if (inGlobOpt)`
`411`	`411`	`{`
`412`	`412`	`KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);`
	`413`	`+ if (this->objectTypeSyms)`
	`414`	`+ {`
	`415`	`+ if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)`
	`416`	`+ {`
	`417`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);`
	`418`	`+ }`
	`419`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);`
	`420`	`+ }`
`413`	`421`	`}`
`414`	`422`
`415`	`423`	`// fall through`