[CVE-2018-8513] Type confusion after converting accessor property to data

pleath · Thomas Moore (CHAKRA) · commit 8997c7017891 · 2018-10-08T11:30:29.000-07:00
diff --git a/lib/Runtime/Types/PathTypeHandler.cpp b/lib/Runtime/Types/PathTypeHandler.cpp
@@ -1476,6 +1476,9 @@ namespace Js
                 if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor))
                 {
                     // Setter without a getter; this is a stale entry, so ignore it
+                    // Just consume the slot so no descriptor refers to it.
+                    Assert(i == newTypeHandler->nextPropertyIndex);
+                    ::Math::PostInc(newTypeHandler->nextPropertyIndex);
                     continue;
                 }
                 Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex);

Original file line number	Diff line number	Diff line change
`@@ -1476,6 +1476,9 @@ namespace Js`
`1476`	`1476`	`if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor))`
`1477`	`1477`	`{`
`1478`	`1478`	`// Setter without a getter; this is a stale entry, so ignore it`
	`1479`	`+ // Just consume the slot so no descriptor refers to it.`
	`1480`	`+ Assert(i == newTypeHandler->nextPropertyIndex);`
	`1481`	`+ ::Math::PostInc(newTypeHandler->nextPropertyIndex);`
`1479`	`1482`	`continue;`
`1480`	`1483`	`}`
`1481`	`1484`	`Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex);`