Fixing possible overflow in BoundFunction::NewInstance.

VSadov · VSadov · commit 25dfd416e10f · 2018-07-09T12:06:54.000-07:00
Not sure if the possibility is practically reachable, but the static checker complains about a  possible overflow.

    We allocate an extra element in `newValues` based only only on `CallFlags_ExtraArg` flag. Therefore we should be consistent when writing to that element.

    `args.HasExtraArg` looks at more flags and, in theory, could result in writing to an element that does not exist. That seems to be making OACR unhappy.

    Fixes: OS:#17999665
    Fixes: OS:#18010300
diff --git a/lib/Runtime/Base/CallInfo.cpp b/lib/Runtime/Base/CallInfo.cpp
@@ -16,7 +16,7 @@ namespace Js
     {
         AssertOrFailFastMsg(count < Constants::UShortMaxValue - 1, "ArgList too large");
         ArgSlot argSlotCount = (ArgSlot)count;
-        if (flags & CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             argSlotCount++;
         }
@@ -25,7 +25,7 @@ namespace Js
 
     uint CallInfo::GetLargeArgCountWithExtraArgs(CallFlags flags, uint count)
     {
-        if (flags & CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             UInt32Math::Inc(count);
         }
@@ -35,7 +35,7 @@ namespace Js
     ArgSlot CallInfo::GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count)
     {
         ArgSlot newCount = count;
-        if (flags & Js::CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             if (count == 0)
             {
diff --git a/lib/Runtime/Base/CallInfo.h b/lib/Runtime/Base/CallInfo.h
@@ -77,7 +77,7 @@ namespace Js
 
         bool HasExtraArg() const
         {
-            return (this->Flags & CallFlags_ExtraArg) || this->HasNewTarget();
+            return  CallInfo::HasExtraArg(this->Flags);
         }
 
         bool HasNewTarget() const
@@ -91,6 +91,11 @@ namespace Js
 
         static ArgSlot GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count);
 
+        static bool HasExtraArg(CallFlags flags)
+        {
+            return (flags & CallFlags_ExtraArg) || CallInfo::HasNewTarget(flags);
+        }
+
         static bool HasNewTarget(CallFlags flags)
         {
             return (flags & CallFlags_NewTarget) == CallFlags_NewTarget;

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ namespace Js`
`16`	`16`	`{`
`17`	`17`	`AssertOrFailFastMsg(count < Constants::UShortMaxValue - 1, "ArgList too large");`
`18`	`18`	`ArgSlot argSlotCount = (ArgSlot)count;`
`19`		`- if (flags & CallFlags_ExtraArg)`
	`19`	`+ if (CallInfo::HasExtraArg(flags))`
`20`	`20`	`{`
`21`	`21`	`argSlotCount++;`
`22`	`22`	`}`
`@@ -25,7 +25,7 @@ namespace Js`
`25`	`25`
`26`	`26`	`uint CallInfo::GetLargeArgCountWithExtraArgs(CallFlags flags, uint count)`
`27`	`27`	`{`
`28`		`- if (flags & CallFlags_ExtraArg)`
	`28`	`+ if (CallInfo::HasExtraArg(flags))`
`29`	`29`	`{`
`30`	`30`	`UInt32Math::Inc(count);`
`31`	`31`	`}`
`@@ -35,7 +35,7 @@ namespace Js`
`35`	`35`	`ArgSlot CallInfo::GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count)`
`36`	`36`	`{`
`37`	`37`	`ArgSlot newCount = count;`
`38`		`- if (flags & Js::CallFlags_ExtraArg)`
	`38`	`+ if (CallInfo::HasExtraArg(flags))`
`39`	`39`	`{`
`40`	`40`	`if (count == 0)`
`41`	`41`	`{`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ namespace Js`
`77`	`77`
`78`	`78`	`bool HasExtraArg() const`
`79`	`79`	`{`
`80`		`- return (this->Flags & CallFlags_ExtraArg) \|\| this->HasNewTarget();`
	`80`	`+ return CallInfo::HasExtraArg(this->Flags);`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`bool HasNewTarget() const`
`@@ -91,6 +91,11 @@ namespace Js`
`91`	`91`
`92`	`92`	`static ArgSlot GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count);`
`93`	`93`
	`94`	`+ static bool HasExtraArg(CallFlags flags)`
	`95`	`+ {`
	`96`	`+ return (flags & CallFlags_ExtraArg) \|\| CallInfo::HasNewTarget(flags);`
	`97`	`+ }`
	`98`	`+`
`94`	`99`	`static bool HasNewTarget(CallFlags flags)`
`95`	`100`	`{`
`96`	`101`	`return (flags & CallFlags_NewTarget) == CallFlags_NewTarget;`