[CVE-2018-8390] Edge - Inlining a fixed deferred function can lead to OOB read/write - Internal

pleath · aneeshdk · commit 63ae30a750a4 · 2018-08-14T11:49:01.000-07:00
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -2848,7 +2848,7 @@ NativeCodeGenerator::GatherCodeGenData(
                 inlineCache->TryGetFixedMethodFromCache(functionBody, ldFldInlineCacheIndex, &fixedFunctionObject);
             }
 
-            if (fixedFunctionObject && !fixedFunctionObject->GetFunctionInfo()->IsDeferred() && fixedFunctionObject->GetFunctionBody() != inlineeFunctionBody)
+            if (fixedFunctionObject && fixedFunctionObject->GetFunctionInfo() != inlineeFunctionBody->GetFunctionInfo())
             {
                 fixedFunctionObject = nullptr;
             }

Original file line number	Diff line number	Diff line change
`@@ -2848,7 +2848,7 @@ NativeCodeGenerator::GatherCodeGenData(`
`2848`	`2848`	`inlineCache->TryGetFixedMethodFromCache(functionBody, ldFldInlineCacheIndex, &fixedFunctionObject);`
`2849`	`2849`	`}`
`2850`	`2850`
`2851`		`- if (fixedFunctionObject && !fixedFunctionObject->GetFunctionInfo()->IsDeferred() && fixedFunctionObject->GetFunctionBody() != inlineeFunctionBody)`
	`2851`	`+ if (fixedFunctionObject && fixedFunctionObject->GetFunctionInfo() != inlineeFunctionBody->GetFunctionInfo())`
`2852`	`2852`	`{`
`2853`	`2853`	`fixedFunctionObject = nullptr;`
`2854`	`2854`	`}`