[CVE-2018-0874] - Chakra Array Includes Uninitialized Memory RCE - In…

…dividual Callbacks while sorting causes the head of an array to not have any missing value, although later we cause an exception in the sorting. Which left the array in the inconsistent state. Later in the HeadSegmentIndexOfHelper we exploit that situation. Fixed that by reseting the no-missing value state in the no-exception case. And also put fail-fast where we don't expect it happen.
chakra-core · Mar 12, 2018 · 7087c31 · 7087c31
1 parent 024353a
commit 7087c31
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -4137,6 +4137,10 @@ namespace Js
                     return i;
                 }
             }
+            else if (SparseArraySegment<Var>::IsMissingItem(&element))
+            {
+                AssertOrFailFast(false);
+            }
             else if (includesAlgorithm && JavascriptConversion::SameValueZero(element, search))
             {
                 //Array.prototype.includes
@@ -6667,6 +6671,8 @@ namespace Js
             ClearSegmentMap(); // Dump the segmentMap again in case user compare function rebuilds it
             if (hasException)
             {
+                // The current array might have affected due to callbacks. As we have got the exception we should be resetting the missing value.
+                SetHasNoMissingValues(false);
                 head = startSeg;
                 this->InvalidateLastUsedSegment();
             }