[CVE-2018-8294] Edge - In Cross Context scenario check for new target first before marshalling the last parameter to a FrameDisplay - Internal

atulkatti · Atul Katti · commit 7af07fdfb3cf · 2018-07-10T10:03:48.000-07:00
diff --git a/lib/Runtime/Base/CrossSite.cpp b/lib/Runtime/Base/CrossSite.cpp
@@ -489,7 +489,12 @@ namespace Js
         {
             args.Values[i] = CrossSite::MarshalVar(targetScriptContext, args.Values[i]);
         }
-        if (args.HasExtraArg())
+        if (args.HasNewTarget())
+        {
+            // Last value is new.target
+            args.Values[count] = CrossSite::MarshalVar(targetScriptContext, args.GetNewTarget());
+        }
+        else if (args.HasExtraArg())
         {
             // The final eval arg is a frame display that needs to be marshaled specially.
             args.Values[count] = CrossSite::MarshalFrameDisplay(targetScriptContext, args.GetFrameDisplay());
diff --git a/lib/Runtime/Language/Arguments.h b/lib/Runtime/Language/Arguments.h
@@ -229,7 +229,7 @@ namespace Js
 
         FrameDisplay* GetFrameDisplay() const
         {
-            AssertOrFailFast(Info.Flags & CallFlags_ExtraArg);
+            AssertOrFailFast((Info.Flags & CallFlags_ExtraArg) && (!this->HasNewTarget()));
 
             // There is an extra arg, so values should have Count + 1 members
             return (FrameDisplay*)(this->Values[Info.Count]);

Original file line number	Diff line number	Diff line change
`@@ -489,7 +489,12 @@ namespace Js`
`489`	`489`	`{`
`490`	`490`	`args.Values[i] = CrossSite::MarshalVar(targetScriptContext, args.Values[i]);`
`491`	`491`	`}`
`492`		`- if (args.HasExtraArg())`
	`492`	`+ if (args.HasNewTarget())`
	`493`	`+ {`
	`494`	`+ // Last value is new.target`
	`495`	`+ args.Values[count] = CrossSite::MarshalVar(targetScriptContext, args.GetNewTarget());`
	`496`	`+ }`
	`497`	`+ else if (args.HasExtraArg())`
`493`	`498`	`{`
`494`	`499`	`// The final eval arg is a frame display that needs to be marshaled specially.`
`495`	`500`	`args.Values[count] = CrossSite::MarshalFrameDisplay(targetScriptContext, args.GetFrameDisplay());`
Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ namespace Js`
`229`	`229`
`230`	`230`	`FrameDisplay* GetFrameDisplay() const`
`231`	`231`	`{`
`232`		`- AssertOrFailFast(Info.Flags & CallFlags_ExtraArg);`
	`232`	`+ AssertOrFailFast((Info.Flags & CallFlags_ExtraArg) && (!this->HasNewTarget()));`
`233`	`233`
`234`	`234`	`// There is an extra arg, so values should have Count + 1 members`
`235`	`235`	`return (FrameDisplay*)(this->Values[Info.Count]);`