[CVE-2018-8385] Edge - Logic bug in Chakra temp tracker leads to invalid pointer read - Internal

When merging block data for loops, we may have data from one edge that a sym is non-temp, but from a different edge we know that there is a temp transfer dependency on that sym. This leads to an inconsistency between the sets where we can treat a non-temp sym as a temp.

To solve this, I've changed so that when we merge data we check if any transfer dependency sets have a non-temp sym, and if so it should also be treated as non-temp.

Author: MikeHolman

lib/Backend/TempTracker.cpp

@@ -79,9 +79,19 @@ TempTrackerBase::~TempTrackerBase()
 void
 TempTrackerBase::MergeData(TempTrackerBase * fromData, bool deleteData)
 {
-    nonTempSyms.Or(&fromData->nonTempSyms);
-    tempTransferredSyms.Or(&fromData->tempTransferredSyms);
-    MergeDependencies(tempTransferDependencies, fromData->tempTransferDependencies, deleteData);
+    this->nonTempSyms.Or(&fromData->nonTempSyms);
+    this->tempTransferredSyms.Or(&fromData->tempTransferredSyms);
+    this->MergeDependencies(this->tempTransferDependencies, fromData->tempTransferDependencies, deleteData);
+    if (this->tempTransferDependencies)
+    {
+        FOREACH_HASHTABLE_ENTRY(BVSparse<JitArenaAllocator> *, bucket, this->tempTransferDependencies)
+        {
+            if (bucket.element->Test(&this->nonTempSyms))
+            {
+                this->nonTempSyms.Set(bucket.value);
+            }
+        } NEXT_HASHTABLE_ENTRY;
+    }
 }
 
 void