[CVE-2019-1237]

MikeHolman · MikeHolman · commit 31f2588c7ba5 · 2019-09-09T11:22:09.000-07:00
diff --git a/lib/Runtime/Library/BoundFunction.cpp b/lib/Runtime/Library/BoundFunction.cpp
@@ -354,6 +354,12 @@ namespace Js
             Var varLength;
             if (targetFunction->GetProperty(targetFunction, PropertyIds::length, &varLength, nullptr, requestContext))
             {
+                if (!TaggedInt::Is(varLength))
+                {
+                    // ToInt32 conversion on non-primitive length can invalidate assumptions made by the JIT,
+                    // so add implicit call flag if length isn't a TaggedInt already
+                    requestContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);
+                }
                 len = JavascriptConversion::ToInt32(varLength, requestContext);
             }
 

Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,12 @@ namespace Js`
`354`	`354`	`Var varLength;`
`355`	`355`	`if (targetFunction->GetProperty(targetFunction, PropertyIds::length, &varLength, nullptr, requestContext))`
`356`	`356`	`{`
	`357`	`+ if (!TaggedInt::Is(varLength))`
	`358`	`+ {`
	`359`	`+ // ToInt32 conversion on non-primitive length can invalidate assumptions made by the JIT,`
	`360`	`+ // so add implicit call flag if length isn't a TaggedInt already`
	`361`	`+ requestContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);`
	`362`	`+ }`
`357`	`363`	`len = JavascriptConversion::ToInt32(varLength, requestContext);`
`358`	`364`	`}`
`359`	`365`