…:VEval function - Individual

do not use eval map if we are eval-ing PropertyString

…hoo 360

…f a javascript null scope object. - Internal

…turn the return instruction - Google, Inc.

…o RCE - Zero Day Initiative

Fix *::TransferPass0 overflowing the returning integer, the allocation part is the only point that using the returning value.

…ontrolled allocation size and write - Individual

When parsing a string template literal, we temporarily suspend updating some of the offset counters. If an attacker crafts a string template that contains multibyte characters, it is possible to overflow the minLine counter. The attacker can directly control the size of the overflow, which is then used in an allocation and offset calculation when handling a parse error. Further control can be gained by triggering a scanner capture and restore to propagate this bad counter value.
Unfortunately this would have been caught by existing bounds checks, but they are asserts only. There are other instances of these around the codebase, but I did not see any exploits for those.
To fix this, we manually update the minLine counter at the point where it would normally have been updated outside of a string template. I also changed the subtraction overflow asserts to be failfasts and added an assert for detecting overflow with multibyte characters. In the non-assert case, we will return 0. Other similar checks in IchMinTok and IchLimTok have also been converted.

…P_Memset: Type Confusion - Google, Inc.

…String's buffer could cause UAF.

…er IsLoopPrePass properly - Google, Inc.

…llocation - Google, Inc.

…lead to RCE - Individual

… check in Lowerer::LowerBoundCheck - Google, Inc.

Math on IntConstType should be bounded by IRType of the Opnd. In case of Lowerer::LowerBoundCheck, it ended up that the IntConstOpnd is a TyInt32 and the overflow leads to bad bound check being emitted.
For this I added a new IntConstMath class which takes an IRType as a parameter and validates that the result can be represented by that IRType.

… Qihoo 360

OOM in the Array.Shift method have left the array in the bad state and later it got overlapped and exploited. Fixed that by making the any exception as failfast in that region

…vidual

Export was not taking care of destructuring nodes, leading to type confusion. Fixed that by adding support for walking those nodes.

…en for function objects with inline cache

When trying to get inlineCaches for a ScriptFunctionWithInlineCache if the function got redefered and didn't got reparsed function body won’t be there (hence no inlineCache on function body). Check that and reset the inlineCache of ScriptFunctionWithInlineCache for such case.

… Internal

… eval on property will be slower, especially in debug build.

here empty string or single char string is backed by property string (an optimazation for using inline buffer), and these two tests
keep eval on empty string until stack overflow, which causes timeout on debug build.

changing to eval on two spaces instead of empty string to avoid the issue