CVE-2019-0539, CVE-2019-0567 Edge - Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto - Google, Inc.

Chakra Automation · rajatd · commit 788f17b0ce06 · 2019-01-07T15:35:15.000-08:00
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -456,6 +456,15 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
         }
         break;
 
+    case Js::OpCode::InitClass:
+    case Js::OpCode::InitProto:
+    case Js::OpCode::NewScObjectNoCtor:
+        if (inGlobOpt)
+        {
+            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+        }
+        break;
+
     default:
         if (instr->UsesAllFields())
         {
