Skip to content

/ ChakraCore

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

18-01 Security Update #4503

Merged
merged 20 commits into from Jan 5, 2018
+480 −163
Merged

18-01 Security Update #4503

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
0ea8624
[CVE-2018-0769] JIT: Incorrect bounds calculation - Google, Inc.
pleath Dec 13, 2017
5c26851
[CVE-2018-0774] Incorrect scope handling - Google, Inc.
pleath Dec 13, 2017
985a82f
[CVE-2018-0768] Use of PropertyString and SubString,GetString() could…
Dec 13, 2017
40e45fc
[CVE-2018-0776] JIT: stack-to-heap copy bug - Google, Inc.
Dec 13, 2017
82825da
[CVE-2018-0767] OOB read in AppendLeftOverItemsFromEndSegment - Googl…
Cellule Dec 1, 2017
14c752b
[CVE-2018-0777] JIT: Loop analysis bug - Google, Inc.
pleath Dec 2, 2017
ee5ac64
[CVE-2018-0775] Deferred parsing makes wrong scopes #2 - Google, Inc.
pleath Dec 4, 2017
7013465
[CVE-2018-0780] AsmJSByteCodeGenerator::EmitCall call handling result…
Cellule Dec 13, 2017
9a77b67
Fix for xplat build for CVE-2018-0767
Cellule Dec 13, 2017
be3b212
[CVE-2018-0778] Stack use after scope in Emit
aneeshdk Dec 14, 2017
1d0a527
[CVE-2018-0781] Stack-use-after-scope in Js::JavascriptFunction::Call…
aneeshdk Dec 14, 2017
b0ff4cc
[CVE-2018-0770] JIT: Incomplete fix for issue 1365 - Google, Inc.
rajatd Dec 19, 2017
51a6b6a
[CVE-2018-0762] 2 crashes : jscript9!JsJavascriptOperatorsPatchGetMet…
leirocks Dec 19, 2017
a1c8240
[CVE-2018-0772] Chakra Access violation - chakracore!Memory::HeapBloc…
leirocks Dec 19, 2017
4db0bd2
[CVE-2018-0758] Integer overflow bug in the latest version of Edge ca…
Dec 20, 2017
a267c5b
[CVE-2018-0773] An uaf bug in the latest version of Edge,lead to rce …
boingoing Dec 20, 2017
ee2538d
Disable SharedArrayBuffer by default
leirocks Jan 3, 2018
50677d3
Update ChakraCore version to 1.7.6
Jan 4, 2018
2281a73
Fix xplat build error
Jan 5, 2018
7b59f02
Fix copyright build error
Jan 5, 2018
File filter...
Filter file types
Clear filters
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Prev Next

[CVE-2018-0778] Stack use after scope in Emit 

The variable was declared inside an if-else condition and is used outside the block.
  • Loading branch information
@aneeshdk Thomas Moore (CHAKRA)
aneeshdk authored and Thomas Moore (CHAKRA) committed Dec 14, 2017
commit be3b2126b0f309f11c19268fdee828204ae50329
3 lib/Runtime/ByteCode/ByteCodeEmitter.cpp
View file
Open in desktop
@@ -11451,6 +11451,7 @@ void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *func
}
};

ByteCodeGenerator::TryScopeRecord tryRecForCatch(Js::OpCode::ResumeCatch, catchLabel);
if (isPattern)
{
Parser::MapBindIdentifier(pnodeObj->sxParamPattern.pnode1, [&](ParseNodePtr item)
@@ -11471,7 +11472,6 @@ void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *func
ParseNodePtr pnode1 = pnodeObj->sxParamPattern.pnode1;
Assert(pnode1->IsPattern());

ByteCodeGenerator::TryScopeRecord tryRecForCatch(Js::OpCode::ResumeCatch, catchLabel);
if (funcInfo->byteCodeFunction->IsCoroutine())
{
byteCodeGenerator->tryScopeRecordsList.LinkToEnd(&tryRecForCatch);
@@ -11494,7 +11494,6 @@ void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *func
byteCodeGenerator->Writer()->Empty(Js::OpCode::Nop);
byteCodeGenerator->EndStatement(pnodeCatch);

ByteCodeGenerator::TryScopeRecord tryRecForCatch(Js::OpCode::ResumeCatch, catchLabel);
if (funcInfo->byteCodeFunction->IsCoroutine())
{
byteCodeGenerator->tryScopeRecordsList.LinkToEnd(&tryRecForCatch);
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.