[CVE-2018-0937] Edge - Use after free of LdFld instruction in prePass…

…InstrMap - Google, Inc Run TryReplaceLdLen only when not in loop prepass Found by OSSFuzz
chakra-core · Mar 12, 2018 · 069c3fb · 069c3fb
1 parent 7087c31
commit 069c3fb
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -2481,8 +2481,11 @@ GlobOpt::OptInstr(IR::Instr *&instr, bool* isInstrRemoved)
         CurrentBlockData()->KillStateForGeneratorYield();
     }
 
-    // Change LdFld on arrays, strings, and 'arguments' to LdLen when we're accessing the .length field
-    this->TryReplaceLdLen(instr);
+    if (!IsLoopPrePass())
+    {
+        // Change LdFld on arrays, strings, and 'arguments' to LdLen when we're accessing the .length field
+        this->TryReplaceLdLen(instr);
+    }
 
     // Consider: Do we ever get post-op bailout here, and if so is the FillBailOutInfo call in the right place?
     if (instr->HasBailOutInfo() && !this->IsLoopPrePass())