Fixing Crosssite issue during Array.Concat OS: 18874745

akroshg · akroshg · commit fd62760dbc2a · 2019-03-29T15:04:49.000-07:00
We were not marshalling the value while putting into the destination array.
Fixed that by marshalling it.
diff --git a/lib/Runtime/Library/JavascriptArray.inl b/lib/Runtime/Library/JavascriptArray.inl
@@ -480,6 +480,7 @@ namespace Js
 
     inline void JavascriptArray::GenericDirectSetItemAt(const uint32 index, Var newValue)
     {
+        newValue = CrossSite::MarshalVar(this->GetScriptContext(), newValue);
         this->DirectSetItemAt(index, newValue);
     }
 
diff --git a/test/Bugs/misc_bugs.js b/test/Bugs/misc_bugs.js
@@ -221,6 +221,31 @@ var tests = [
         }
       }
   },
+  {
+    name: "CrossSite issue while array concat OS: 18874745",
+    body: function () {
+          function test0() {
+            var IntArr0 = Array();
+            var sc0Code = `
+              Object.defineProperty(Array, Symbol.species, { value : function() {
+                      return IntArr0;
+                      }
+                  }
+              );
+            test = function(a, list) {
+                return [a].concat(list);
+            }
+            function out() {
+              test({}, [1]);
+            }
+            `;
+            var sc0 = WScript.LoadScript(sc0Code, 'samethread');
+            sc0.IntArr0 = IntArr0;
+            sc0.out();
+          }
+         test0();
+      }
+  },
   {
     name: "calling promise's function as constructor should not be allowed",
     body: function () {

Original file line number	Diff line number	Diff line change
`@@ -480,6 +480,7 @@ namespace Js`
`480`	`480`
`481`	`481`	`inline void JavascriptArray::GenericDirectSetItemAt(const uint32 index, Var newValue)`
`482`	`482`	`{`
	`483`	`+ newValue = CrossSite::MarshalVar(this->GetScriptContext(), newValue);`
`483`	`484`	`this->DirectSetItemAt(index, newValue);`
`484`	`485`	`}`
`485`	`486`