[CVE-2018-0933] Chakra: JIT - Incomplete Fix for MSRC-41913 - Google, Inc.

This change addresses a scenario where a deepCopy of a native array is needed when its head segment is already on the heap. In this case, it bypasses the previous fix because the head is on the stack and thus fails to do a deepCopy.
The fix is to unconditionally reallocate both the array object and its segments when deepCopy is true.

Author: Thomas Moore (CHAKRA)

lib/Runtime/Library/JavascriptArray.cpp

@@ -11700,8 +11700,11 @@ namespace Js
         }
 
         const size_t inlineSlotsSize = instance->GetTypeHandler()->GetInlineSlotsSize();
-        if (ThreadContext::IsOnStack(instance->head))
+        if (ThreadContext::IsOnStack(instance->head) || deepCopy)
         {
+            // Reallocate both the object as well as the head segment when the head is on the stack or
+            // when a deep copy is needed. This is to prevent a scenario where box may leave either one
+            // on the stack when both must be on the heap.
             boxedInstance = RecyclerNewPlusZ(instance->GetRecycler(),
                 inlineSlotsSize + sizeof(Js::SparseArraySegmentBase) + instance->head->size * sizeof(typename T::TElement),
                 T, instance, true, deepCopy);