Permalink
Browse files

[CVE-2017-11843] Edge - UAF in chakra the bug is in Js::GlobalObject:…

…:VEval function - Individual

do not use eval map if we are eval-ing PropertyString
  • Loading branch information...
leirocks committed Oct 20, 2017
1 parent 42789b2 commit 14f44de6188e403161a3fa3850025d391150e278
Showing with 8 additions and 2 deletions.
  1. +8 −2 lib/Runtime/Library/GlobalObject.cpp
@@ -597,7 +597,13 @@ namespace Js
char16 const * sourceString = argString->GetSz();
charcount_t sourceLen = argString->GetLength();
FastEvalMapString key(sourceString, sourceLen, moduleID, strictMode, isLibraryCode);
bool found = scriptContext->IsInEvalMap(key, isIndirect, &pfuncScript);



// PropertyString's buffer references to PropertyRecord's inline buffer, if both PropertyString and PropertyRecord are collected
// we'll leave the PropertyRecord's interior buffer pointer in the EvalMap. So do not use evalmap if we are evaluating PropertyString
bool useEvalMap = !VirtualTableInfo<PropertyString>::HasVirtualTable(argString);
bool found = useEvalMap && scriptContext->IsInEvalMap(key, isIndirect, &pfuncScript);
if (!found || (!isIndirect && pfuncScript->GetEnvironment() != &NullFrameDisplay))
{
uint32 grfscr = additionalGrfscr | fscrReturnExpression | fscrEval | fscrEvalCode | fscrGlobalCode;
@@ -610,7 +616,7 @@ namespace Js
pfuncScript = library->GetGlobalObject()->EvalHelper(scriptContext, argString->GetSz(), argString->GetLength(), moduleID,
grfscr, Constants::EvalCode, doRegisterDocument, isIndirect, strictMode);

if (!found)
if (useEvalMap && !found)
{
scriptContext->AddToEvalMap(key, isIndirect, pfuncScript);
}

0 comments on commit 14f44de

Please sign in to comment.