[CVE-2018-8275] Edge - Chakra Array.splice UAF RCE - Zero Day Initiative

We have cleared the segment map before ArraySpecies. The ArraySpecies is re-entrant and once we have come back from you user code we may have constructed the segment map. This segment map is not
valid anymore as we are doing splicing. Fixed this by Clearing the segment map.

Author: akroshg

lib/Runtime/Library/JavascriptArray.cpp

@@ -5682,6 +5682,7 @@ using namespace Js;
             }
 
             pArr->InvalidateLastUsedSegment(); // lastUsedSegment might be 0-length and discarded above
+            pArr->ClearSegmentMap();
 #ifdef VALIDATE_ARRAY
             pArr->ValidateArray();
 #endif
@@ -5862,6 +5863,7 @@ using namespace Js;
             }
 
             pArr->InvalidateLastUsedSegment();
+            pArr->ClearSegmentMap();
         }
 
 #ifdef VALIDATE_ARRAY
@@ -6824,6 +6826,7 @@ using namespace Js;
         }
         SetHasNoMissingValues();
         this->InvalidateLastUsedSegment();
+        this->ClearSegmentMap();
 
 #ifdef VALIDATE_ARRAY
         ValidateArray();
@@ -7628,6 +7631,7 @@ using namespace Js;
             }
 
             pArr->InvalidateLastUsedSegment();
+            pArr->ClearSegmentMap();
 
             // it is possible for valueOf accessors for the start or deleteLen
             // arguments to modify the size of the array. Since the resulting size of the array
@@ -7656,6 +7660,7 @@ using namespace Js;
             failFastOnError.Completed();
 
             newArr->InvalidateLastUsedSegment();
+            newArr->ClearSegmentMap();
 
 #ifdef VALIDATE_ARRAY
             newArr->ValidateArray();
@@ -8107,6 +8112,7 @@ using namespace Js;
 
                 pArr->InvalidateLastUsedSegment();
                 pArr->length += unshiftElements;
+                pArr->ClearSegmentMap();
 
 #ifdef VALIDATE_ARRAY
                 pArr->ValidateArray();