[CVE-2018-8279] Edge - Chakra: Parameter scope parsing bug - Google, Inc.

atulkatti · Atul Katti · commit 227fc37d08fe · 2018-07-10T10:03:48.000-07:00
diff --git a/lib/Parser/Parse.cpp b/lib/Parser/Parse.cpp
@@ -6311,7 +6311,9 @@ void Parser::ParseFncName(ParseNodeFnc * pnodeFnc, ushort flags, IdentPtr* pFncN
     pnodeFnc->pnodeName = nullptr;
 
     if ((m_token.tk != tkID || flags & fFncNoName)
-        && (IsStrictMode() || (pnodeFnc->IsGenerator()) || m_token.tk != tkYIELD || fDeclaration)) // Function expressions can have the name yield even inside generator functions
+        && (IsStrictMode() || fDeclaration
+            || pnodeFnc->IsGenerator() || pnodeFnc->IsAsync()
+                || (m_token.tk != tkYIELD && m_token.tk != tkAWAIT))) // Function expressions can have the name yield/await even inside generator/async functions
     {
         if (fDeclaration ||
             m_token.IsReservedWord())  // For example:  var x = (function break(){});
@@ -6321,7 +6323,7 @@ void Parser::ParseFncName(ParseNodeFnc * pnodeFnc, ushort flags, IdentPtr* pFncN
         return;
     }
 
-    Assert(m_token.tk == tkID || (m_token.tk == tkYIELD && !fDeclaration));
+    Assert(m_token.tk == tkID || (m_token.tk == tkYIELD && !fDeclaration) || (m_token.tk == tkAWAIT && !fDeclaration));
 
     if (IsStrictMode())
     {
@@ -8461,15 +8463,17 @@ ParseNodePtr Parser::ParseExpr(int oplMin,
                 // binding operator, be it unary or binary.
                 Error(ERRsyntax);
             }
-            if (m_currentScope->GetScopeType() == ScopeType_Parameter)
+            if (m_currentScope->GetScopeType() == ScopeType_Parameter
+                || (m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope
             {
                 Error(ERRsyntax);
             }
         }
         else if (nop == knopAwait)
         {
             if (!this->GetScanner()->AwaitIsKeywordRegion() ||
-                m_currentScope->GetScopeType() == ScopeType_Parameter)
+                m_currentScope->GetScopeType() == ScopeType_Parameter ||
+                (m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope
             {
                 // As with the 'yield' keyword, the case where 'await' is scanned as a keyword (tkAWAIT)
                 // but the scanner is not treating await as a keyword (!this->GetScanner()->AwaitIsKeyword())

Original file line number	Diff line number	Diff line change
`@@ -6311,7 +6311,9 @@ void Parser::ParseFncName(ParseNodeFnc * pnodeFnc, ushort flags, IdentPtr* pFncN`
`6311`	`6311`	`pnodeFnc->pnodeName = nullptr;`
`6312`	`6312`
`6313`	`6313`	`if ((m_token.tk != tkID \|\| flags & fFncNoName)`
`6314`		`- && (IsStrictMode() \|\| (pnodeFnc->IsGenerator()) \|\| m_token.tk != tkYIELD \|\| fDeclaration)) // Function expressions can have the name yield even inside generator functions`
	`6314`	`+ && (IsStrictMode() \|\| fDeclaration`
	`6315`	`+ \|\| pnodeFnc->IsGenerator() \|\| pnodeFnc->IsAsync()`
	`6316`	`+ \|\| (m_token.tk != tkYIELD && m_token.tk != tkAWAIT))) // Function expressions can have the name yield/await even inside generator/async functions`
`6315`	`6317`	`{`
`6316`	`6318`	`if (fDeclaration \|\|`
`6317`	`6319`	`m_token.IsReservedWord()) // For example: var x = (function break(){});`
`@@ -6321,7 +6323,7 @@ void Parser::ParseFncName(ParseNodeFnc * pnodeFnc, ushort flags, IdentPtr* pFncN`
`6321`	`6323`	`return;`
`6322`	`6324`	`}`
`6323`	`6325`
`6324`		`- Assert(m_token.tk == tkID \|\| (m_token.tk == tkYIELD && !fDeclaration));`
	`6326`	`+ Assert(m_token.tk == tkID \|\| (m_token.tk == tkYIELD && !fDeclaration) \|\| (m_token.tk == tkAWAIT && !fDeclaration));`
`6325`	`6327`
`6326`	`6328`	`if (IsStrictMode())`
`6327`	`6329`	`{`
`@@ -8461,15 +8463,17 @@ ParseNodePtr Parser::ParseExpr(int oplMin,`
`8461`	`8463`	`// binding operator, be it unary or binary.`
`8462`	`8464`	`Error(ERRsyntax);`
`8463`	`8465`	`}`
`8464`		`- if (m_currentScope->GetScopeType() == ScopeType_Parameter)`
	`8466`	`+ if (m_currentScope->GetScopeType() == ScopeType_Parameter`
	`8467`	`+ \|\| (m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope`
`8465`	`8468`	`{`
`8466`	`8469`	`Error(ERRsyntax);`
`8467`	`8470`	`}`
`8468`	`8471`	`}`
`8469`	`8472`	`else if (nop == knopAwait)`
`8470`	`8473`	`{`
`8471`	`8474`	`if (!this->GetScanner()->AwaitIsKeywordRegion() \|\|`
`8472`		`- m_currentScope->GetScopeType() == ScopeType_Parameter)`
	`8475`	`+ m_currentScope->GetScopeType() == ScopeType_Parameter \|\|`
	`8476`	`+ (m_currentScope->GetScopeType() == ScopeType_Block && m_currentScope->GetEnclosingScope()->GetScopeType() == ScopeType_Parameter)) // Check whether this is a class definition inside param scope`
`8473`	`8477`	`{`
`8474`	`8478`	`// As with the 'yield' keyword, the case where 'await' is scanned as a keyword (tkAWAIT)`
`8475`	`8479`	`// but the scanner is not treating await as a keyword (!this->GetScanner()->AwaitIsKeyword())`