[1.10>master] [MERGE #5538 @dilijev] OS#17035705: Mark SetItem as JS_REENTRANT in CopyWithinHelper.

dilijev · dilijev · commit eb207594e939 · 2018-07-27T10:57:33.000-07:00
Merge pull request #5538 from dilijev:copywithin-reentrant Found by OSS-Fuzz
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -9244,8 +9244,10 @@ using namespace Js;
                     }
                     else if (pArr)
                     {
-                        JS_REENTRANT(jsReentLock, Var val = pArr->DirectGetItem(fromIndex));
-                        pArr->SetItem(toIndex, val, Js::PropertyOperation_ThrowIfNotExtensible);
+                        Var val = nullptr;
+                        JS_REENTRANT(jsReentLock,
+                            val = pArr->DirectGetItem(fromIndex),
+                            pArr->SetItem(toIndex, val, Js::PropertyOperation_ThrowIfNotExtensible));
 
                         if (!JavascriptArray::Is(obj))
                         {

Original file line number	Diff line number	Diff line change
`@@ -9244,8 +9244,10 @@ using namespace Js;`
`9244`	`9244`	`}`
`9245`	`9245`	`else if (pArr)`
`9246`	`9246`	`{`
`9247`		`- JS_REENTRANT(jsReentLock, Var val = pArr->DirectGetItem(fromIndex));`
`9248`		`- pArr->SetItem(toIndex, val, Js::PropertyOperation_ThrowIfNotExtensible);`
	`9247`	`+ Var val = nullptr;`
	`9248`	`+ JS_REENTRANT(jsReentLock,`
	`9249`	`+ val = pArr->DirectGetItem(fromIndex),`
	`9250`	`+ pArr->SetItem(toIndex, val, Js::PropertyOperation_ThrowIfNotExtensible));`
`9249`	`9251`
`9250`	`9252`	`if (!JavascriptArray::Is(obj))`
`9251`	`9253`	`{`