Skip to content
Permalink
Browse files

[CVE-2018-8139] Edge - Chakra type confusion in boundfunction handlin…

…g - Internal
  • Loading branch information...
MSLaguana committed Apr 11, 2018
1 parent 87f3367 commit ee5dfabc51728f97f6d69e89c88af088251b6b76
Showing with 9 additions and 2 deletions.
  1. +9 −2 lib/Runtime/Library/BoundFunction.cpp
@@ -155,12 +155,12 @@ namespace Js
// OACR thinks that this can change between here and the check in the for loop below
const unsigned int argCount = args.Info.Count;

if ((boundFunction->count + argCount) > CallInfo::kMaxCountArgs)
if ((boundFunction->count + args.GetArgCountWithExtraArgs()) > CallInfo::kMaxCountArgs)
{
JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgListTooLarge);
}

Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + argCount);
Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + args.GetArgCountWithExtraArgs());

uint index = 0;

@@ -188,8 +188,15 @@ namespace Js
newValues[index++] = args[i];
}

if (args.HasExtraArg())
{
newValues[index++] = args.Values[argCount];
}

actualArgs = Arguments(args.Info, unsafe_write_barrier_cast<Var*>(newValues));
actualArgs.Info.Count = boundFunction->count + argCount;

Assert(index == actualArgs.GetArgCountWithExtraArgs());
}
else
{

0 comments on commit ee5dfab

Please sign in to comment.
You can’t perform that action at this time.