[CVE-2018-8459] Edge - ChakraCore Type Confusion Vulnerability -

Author: pleath

lib/Runtime/Types/PathTypeHandler.cpp

@@ -2563,8 +2563,9 @@ namespace Js
         Assert(IsObjectHeaderInlinedTypeHandler());
 
         // Clone the type Path here to evolve separately
+        Recycler * recycler = library->GetRecycler();
         uint16 pathLength = GetPathLength();
-        TypePath * clonedPath = TypePath::New(library->GetRecycler(), pathLength);
+        TypePath * clonedPath = TypePath::New(recycler, pathLength);
 
         ObjectSlotAttributes *attributes = this->GetAttributeArray();
         for (PropertyIndex i = 0; i < pathLength; i++)
@@ -2597,12 +2598,29 @@ namespace Js
         }
         else
         {
+            uint8 newTypePathSize = clonedPath->GetPathSize();
+
+            ObjectSlotAttributes * newAttributes = RecyclerNewArrayLeaf(recycler, ObjectSlotAttributes, newTypePathSize);
+            memcpy(newAttributes, attributes, sizeof(ObjectSlotAttributes) * newTypePathSize);
+
+            PathTypeSetterSlotIndex * setters = GetSetterSlots();
+            PathTypeSetterSlotIndex * newSetters;
+            if (setters == nullptr)
+            {
+                newSetters = nullptr;
+            }
+            else
+            {
+                newSetters = RecyclerNewArrayLeaf(recycler, PathTypeSetterSlotIndex, newTypePathSize);
+                memcpy(newSetters, setters, sizeof(PathTypeSetterSlotIndex) * newTypePathSize);
+            }
+
             clonedTypeHandler =
                 PathTypeHandlerWithAttr::New(
                     library->GetScriptContext(),
                     clonedPath,
-                    attributes,
-                    GetSetterSlots(),
+                    newAttributes,
+                    newSetters,
                     GetSetterCount(),
                     GetPathLength(),
                     static_cast<PropertyIndex>(GetSlotCapacity()),