CVE-2019-0810 Type Confusion with DeleteElemI_A & DeleteElemIStrict_A - 360Vulcan

Meghana Gupta · akroshg · commit 35ee5053bfc3 · 2019-04-08T10:26:06.000-07:00
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -237,10 +237,17 @@ GlobOpt::KillLiveElems(IR::IndirOpnd * indirOpnd, BVSparse<JitArenaAllocator> *
         this->KillAllFields(bv); // This also kills all property type values, as the same bit-vector tracks those stack syms
         SetAnyPropertyMayBeWrittenTo();
     }
-    else if (inGlobOpt && indexOpnd && !indexOpnd->GetValueType().IsInt() && !currentBlock->globOptData.IsInt32TypeSpecialized(indexOpnd->m_sym))
+    else if (inGlobOpt)
     {
-        // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout
-        this->KillAllObjectTypes(bv);
+        Value * indexValue = indexOpnd ? this->currentBlock->globOptData.FindValue(indexOpnd->GetSym()) : nullptr;
+        ValueInfo * indexValueInfo = indexValue ? indexValue->GetValueInfo() : nullptr;
+        int indexLowerBound = 0;
+
+        if (indirOpnd->GetOffset() < 0 || (indexOpnd && (!indexValueInfo || !indexValueInfo->TryGetIntConstantLowerBound(&indexLowerBound, false) || indexLowerBound < 0)))
+        {
+            // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout
+            this->KillAllObjectTypes(bv);
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -237,10 +237,17 @@ GlobOpt::KillLiveElems(IR::IndirOpnd * indirOpnd, BVSparse<JitArenaAllocator> *`
`237`	`237`	`this->KillAllFields(bv); // This also kills all property type values, as the same bit-vector tracks those stack syms`
`238`	`238`	`SetAnyPropertyMayBeWrittenTo();`
`239`	`239`	`}`
`240`		`- else if (inGlobOpt && indexOpnd && !indexOpnd->GetValueType().IsInt() && !currentBlock->globOptData.IsInt32TypeSpecialized(indexOpnd->m_sym))`
	`240`	`+ else if (inGlobOpt)`
`241`	`241`	`{`
`242`		`- // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout`
`243`		`- this->KillAllObjectTypes(bv);`
	`242`	`+ Value * indexValue = indexOpnd ? this->currentBlock->globOptData.FindValue(indexOpnd->GetSym()) : nullptr;`
	`243`	`+ ValueInfo * indexValueInfo = indexValue ? indexValue->GetValueInfo() : nullptr;`
	`244`	`+ int indexLowerBound = 0;`
	`245`	`+`
	`246`	`+ if (indirOpnd->GetOffset() < 0 \|\| (indexOpnd && (!indexValueInfo \|\| !indexValueInfo->TryGetIntConstantLowerBound(&indexLowerBound, false) \|\| indexLowerBound < 0)))`
	`247`	`+ {`
	`248`	`+ // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout`
	`249`	`+ this->KillAllObjectTypes(bv);`
	`250`	`+ }`
`244`	`251`	`}`
`245`	`252`	`}`
`246`	`253`