Skip to content

Commit f67a121

Browse files
pleathakroshg
pleath
authored and
akroshg
committed
CVE-2019-0739 Edge - WIP bug report: Type confusion for Edge on WIP
1 parent 35ee505 commit f67a121

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

lib/Backend/GlobOpt.cpp

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4813,7 +4813,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
48134813
}
48144814
else
48154815
{
4816-
return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber(), dst);
4816+
return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber().SetCanBeTaggedValue(true), dst);
48174817
}
48184818
break;
48194819

@@ -4874,7 +4874,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
48744874
{
48754875
valueType = ValueType::Number;
48764876
}
4877-
return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);
4877+
return CreateDstUntransferredValue(valueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);
48784878
}
48794879

48804880
case Js::OpCode::Add_A:
@@ -4908,12 +4908,12 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
49084908
{
49094909
// If one of them is a float, the result probably is a float instead of just int
49104910
// but should always be a number.
4911-
valueType = ValueType::Float;
4911+
valueType = ValueType::Float.SetCanBeTaggedValue(true);
49124912
}
49134913
else
49144914
{
49154915
// Could be int, could be number
4916-
valueType = ValueType::Number;
4916+
valueType = ValueType::Number.SetCanBeTaggedValue(true);
49174917
}
49184918
}
49194919
else if (src1ValueInfo->IsLikelyFloat() || src2ValueInfo->IsLikelyFloat())
@@ -4937,7 +4937,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
49374937
&& (src2Val && src2ValueInfo->IsNotString() && src2ValueInfo->IsPrimitive()))
49384938
{
49394939
// If src1 and src2 are not strings and primitive, add should yield a number.
4940-
valueType = ValueType::Number;
4940+
valueType = ValueType::Number.SetCanBeTaggedValue(true);
49414941
}
49424942
else if((src1Val && src1ValueInfo->IsLikelyString()) || (src2Val && src2ValueInfo->IsLikelyString()))
49434943
{
@@ -4958,7 +4958,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
49584958
ValueType divValueType = GetDivValueType(instr, src1Val, src2Val, false);
49594959
if (divValueType.IsLikelyInt() || divValueType.IsFloat())
49604960
{
4961-
return CreateDstUntransferredValue(divValueType, instr, src1Val, src2Val);
4961+
return CreateDstUntransferredValue(divValueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);
49624962
}
49634963
}
49644964
// fall-through
@@ -4990,11 +4990,11 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
49904990
// This should ideally be NewNumberAndLikelyFloatValue since we know the result is a number but not sure if it will
49914991
// be a float value. However, that Number/LikelyFloat value type doesn't exist currently and all the necessary
49924992
// checks are done for float values (tagged int checks, etc.) so it's sufficient to just create a float value here.
4993-
valueType = ValueType::Float;
4993+
valueType = ValueType::Float.SetCanBeTaggedValue(true);
49944994
}
49954995
else
49964996
{
4997-
valueType = ValueType::Number;
4997+
valueType = ValueType::Number.SetCanBeTaggedValue(true);
49984998
}
49994999

50005000
return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);

0 commit comments

Comments
 (0)