ChakraCore fix for servicing release 18-02B: CVE-2018-0857

chakra-core · Feb 13, 2018 · 6f4265c · 6f4265c
1 parent ee5ffb3
commit 6f4265c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/lib/Backend/Inline.cpp b/lib/Backend/Inline.cpp
@@ -292,6 +292,7 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                             break;
                         }
 
+                        bool hasDstUsedBuiltInReturnType = false;
                         if(!inlineeData->HasBody())
                         {
                             Assert(builtInInlineCandidateOpCode != 0);
@@ -303,11 +304,12 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                                 break;
                             }
 
-                            // This built-in function is going to be inlined, so reset the destination's value type
+                            // This built-in function should be inlined, so reset the destination's value type
                             if(!builtInReturnType.IsUninitialized())
                             {
                                 if(instr->GetDst())
                                 {
+                                    hasDstUsedBuiltInReturnType = true;
                                     instr->GetDst()->SetValueType(builtInReturnType);
                                     if(builtInReturnType.IsDefinite())
                                     {
@@ -367,7 +369,12 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                         instrNext = builtInInlineCandidateOpCode != 0 ?
                             this->InlineBuiltInFunction(instr, inlineeData, builtInInlineCandidateOpCode, inlinerData, symThis, &isInlined, profileId, recursiveInlineDepth) :
                             this->InlineScriptFunction(instr, inlineeData, symThis, profileId, &isInlined, recursiveInlineDepth);
-
+                         if (!isInlined && hasDstUsedBuiltInReturnType)
+                        {
+                            // We haven't actually inlined the builtin, we need to revert the value type to likely
+                            instr->GetDst()->UnsetValueTypeFixed();
+                            instr->GetDst()->SetValueType(instr->GetDst()->GetValueType().ToLikely());
+                        }
                     }
                     if(++this->inlineesProcessed == inlinerData->GetInlineeCount())
                     {

diff --git a/lib/Backend/Opnd.h b/lib/Backend/Opnd.h
@@ -274,6 +274,7 @@ class Opnd
 
     bool                IsValueTypeFixed() const { return m_isValueTypeFixed; }
     void                SetValueTypeFixed() { m_isValueTypeFixed = true; }
+    void                UnsetValueTypeFixed() { m_isValueTypeFixed = false; }
     IR::RegOpnd *       FindRegUse(IR::RegOpnd *regOpnd);
     bool                IsArgumentsObject();