ChakraCore fix for servicing release 18-02B: CVE-2018-0834

chakra-core · Feb 13, 2018 · 6cd5032 · 6cd5032
1 parent 24c7fa2
commit 6cd5032
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -15399,6 +15399,24 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
             }
             break;
         }
+
+        case Js::OpCode::InitProto:
+        {
+            // Find the 'this' parameter and check if it's possible for it to be an array
+            IR::Opnd *const arrayOpnd = instr->GetSrc1();
+            Assert(arrayOpnd);
+            const ValueType arrayValueType(arrayOpnd->GetValueType());
+            if(!arrayOpnd->IsRegOpnd() || (useValueTypes && arrayValueType.IsNotArrayOrObjectWithArray()))
+            {
+                break;
+            }
+
+            if(doNativeArrayTypeSpec && !(useValueTypes && arrayValueType.IsNotNativeArray()))
+            {
+                kills.SetKillsNativeArrays();
+            }
+            break;
+        }            
     }
 
     return kills;