[MERGE #5197 @boingoing] OS#17542375 Correct possible overflow of deferred stubs array

Merge pull request #5197 from boingoing:overflow_deferredstubs_array

When undeferring a function with deferred stubs, we try and use those stubs to determine if expressions beginning with a left paren are nested lambda functions. We do this when we see a left paren and the next deferred stub is a lambda function starting at the same character. Unfortunately we don't keep track of the count of deferred stubs in the current deferred stubs array. If all of the nested functions in the function we're undefering are located in source before the left paren character, we should not check for the next deferred stub as this would overflow the array and cause a possible AV.

Fix this by tracking the count of stubs in the current deferred stubs array.

Fixes:
https://microsoft.visualstudio.com/OS/_workitems/edit/17542375

Author: boingoing

lib/Parser/Parse.cpp

@@ -95,6 +95,7 @@ Parser::Parser(Js::ScriptContext* scriptContext, BOOL strictMode, PageAllocator
     m_currentNodeDeferredFunc(nullptr),
     m_currentNodeProg(nullptr),
     m_currDeferredStub(nullptr),
+    m_currDeferredStubCount(0),
     m_pCurrentAstSize(nullptr),
     m_ppnodeScope(nullptr),
     m_ppnodeExprScope(nullptr),
@@ -3068,7 +3069,7 @@ ParseNodePtr Parser::ParseTerm(BOOL fAllowCall,
         // is a lambda at the current character. If it is, we know this LParen is the beginning of a lambda nested
         // function and we can avoid parsing the next series of tokens as a parenthetical expression and reparsing
         // after finding the => token.
-        if (buildAST && m_currDeferredStub != nullptr && GetCurrentFunctionNode() != nullptr)
+        if (buildAST && m_currDeferredStub != nullptr && GetCurrentFunctionNode() != nullptr && GetCurrentFunctionNode()->nestedCount < m_currDeferredStubCount)
         {
             DeferredFunctionStub* stub = m_currDeferredStub + GetCurrentFunctionNode()->nestedCount;
             if (stub->ichMin == ichMin)
@@ -5577,13 +5578,17 @@ void Parser::ParseFncDeclHelper(ParseNodeFnc * pnodeFnc, LPCOLESTR pNameHint, us
                 {
                     *pNeedScanRCurly = false;
                 }
+                uint savedStubCount = m_currDeferredStubCount;
                 DeferredFunctionStub* savedStub = m_currDeferredStub;
                 if (pnodeFnc->IsNested() && pnodeFncSave != nullptr && m_currDeferredStub != nullptr && pnodeFncSave->ichMin != pnodeFnc->ichMin)
                 {
-                    m_currDeferredStub = (m_currDeferredStub + (pnodeFncSave->nestedCount - 1))->deferredStubs;
+                    DeferredFunctionStub* childStub = m_currDeferredStub + (pnodeFncSave->nestedCount - 1);
+                    m_currDeferredStubCount = childStub->nestedCount;
+                    m_currDeferredStub = childStub->deferredStubs;
                 }
                 this->FinishFncDecl(pnodeFnc, pNameHint, fLambda, skipFormals);
                 m_currDeferredStub = savedStub;
+                m_currDeferredStubCount = savedStubCount;
             }
             else
             {
@@ -11859,6 +11864,7 @@ HRESULT Parser::ParseSourceWithOffset(__out ParseNodeProg ** parseTree, LPCUTF8
     if (m_functionBody)
     {
         m_currDeferredStub = m_functionBody->GetDeferredStubs();
+        m_currDeferredStubCount = m_currDeferredStub != nullptr ? m_functionBody->GetNestedCount() : 0;
         m_InAsmMode = grfscr & fscrNoAsmJs ? false : m_functionBody->GetIsAsmjsMode();
     }
     m_deferAsmJs = !m_InAsmMode;

lib/Parser/Parse.h

@@ -415,6 +415,7 @@ class Parser
     ParseNodeFnc * m_currentNodeDeferredFunc; // current function or NULL
     ParseNodeProg * m_currentNodeProg; // current program
     DeferredFunctionStub *m_currDeferredStub;
+    uint m_currDeferredStubCount;
     int32 * m_pCurrentAstSize;
     ParseNodePtr * m_ppnodeScope;  // function list tail
     ParseNodePtr * m_ppnodeExprScope; // function expression list tail

test/Basics/bug_os17542375.js

@@ -0,0 +1,24 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+// With pageheap:2 we should not hit an AV
+
+function foo() {
+   var r = {};
+   var b = {};
+   var a = {};
+   a.$ = r;
+
+   function foo1() {
+   }
+   function foo2() {
+   }
+    return r.noConflict = function(b) {
+        return a.$ === r && (a.$ = Wb), b && a.jQuery === r && (a.jQuery = Vb), r
+    }, b || (a.jQuery = a.$ = r), r
+}
+
+foo();
+console.log('pass');

test/Basics/rlexe.xml

@@ -414,4 +414,11 @@
       <tags>exclude_test,exclude_jshost,exclude_dynapogo</tags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_os17542375.js</files>
+      <compile-flags>-UseParserStateCache -ParserStateCache -Force:DeferParse -pageheap:2</compile-flags>
+      <tags>exclude_test,exclude_jshost</tags>
+    </default>
+  </test>
 </regress-exe>