From 303d997b65faf5a4eebb08a98c52b8ee3fb72287 Mon Sep 17 00:00:00 2001
From: Michael Ferris <micfer@microsoft.com>
Date: Thu, 26 Jan 2017 15:46:54 -0800
Subject: [PATCH] [CVE-2017-0093] Type confusion in asm.js arguments

When calling eval we pass an additional argument to the function. If we've assigned an asm.js function to eval, then we need to remove that additional argument before getting the arguments
---
 lib/Runtime/Language/AsmJsUtils.cpp |  3 ++-
 test/AsmJs/evalbug.js               | 18 ++++++++++++++++++
 test/AsmJs/rlexe.xml                |  5 +++++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 test/AsmJs/evalbug.js

diff --git a/lib/Runtime/Language/AsmJsUtils.cpp b/lib/Runtime/Language/AsmJsUtils.cpp
index 410d296c690..09290913f21 100644
--- a/lib/Runtime/Language/AsmJsUtils.cpp
+++ b/lib/Runtime/Language/AsmJsUtils.cpp
@@ -217,7 +217,8 @@ namespace Js
 
         AsmJsModuleInfo::EnsureHeapAttached(func);
 
-        uint actualArgCount = callInfo.Count - 1; // -1 for ScriptFunction
+        ArgumentReader reader(&callInfo, origArgs);
+        uint actualArgCount = reader.Info.Count - 1; // -1 for ScriptFunction
         argDst = argDst + MachPtr; // add one first so as to skip the ScriptFunction argument
         for (ArgSlot i = 0; i < info->GetArgCount(); i++)
         {
diff --git a/test/AsmJs/evalbug.js b/test/AsmJs/evalbug.js
new file mode 100644
index 00000000000..5372beab079
--- /dev/null
+++ b/test/AsmJs/evalbug.js
@@ -0,0 +1,18 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function asm() {
+  "use asm"
+  function f(a, b) {
+    a = a|0;
+    b = b|0;
+    return a|0;
+  }
+  return f;
+}
+
+eval = asm();
+eval("some string");
+print("PASSED");
diff --git a/test/AsmJs/rlexe.xml b/test/AsmJs/rlexe.xml
index 7a1c1221611..2181f7a5cac 100644
--- a/test/AsmJs/rlexe.xml
+++ b/test/AsmJs/rlexe.xml
@@ -536,6 +536,11 @@
       <compile-flags>-testtrace:asmjs -simdjs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>evalbug.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>constTest.js</files>