[CVE-2018-8294] Edge - In Cross Context scenario check for new target…

… first before marshalling the last parameter to a FrameDisplay - Internal
chakra-core · Jul 10, 2018 · 7af07fd · 7af07fd
1 parent 227fc37
commit 7af07fd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/lib/Runtime/Base/CrossSite.cpp b/lib/Runtime/Base/CrossSite.cpp
@@ -489,7 +489,12 @@ namespace Js
         {
             args.Values[i] = CrossSite::MarshalVar(targetScriptContext, args.Values[i]);
         }
-        if (args.HasExtraArg())
+        if (args.HasNewTarget())
+        {
+            // Last value is new.target
+            args.Values[count] = CrossSite::MarshalVar(targetScriptContext, args.GetNewTarget());
+        }
+        else if (args.HasExtraArg())
         {
             // The final eval arg is a frame display that needs to be marshaled specially.
             args.Values[count] = CrossSite::MarshalFrameDisplay(targetScriptContext, args.GetFrameDisplay());

diff --git a/lib/Runtime/Language/Arguments.h b/lib/Runtime/Language/Arguments.h
@@ -229,7 +229,7 @@ namespace Js
 
         FrameDisplay* GetFrameDisplay() const
         {
-            AssertOrFailFast(Info.Flags & CallFlags_ExtraArg);
+            AssertOrFailFast((Info.Flags & CallFlags_ExtraArg) && (!this->HasNewTarget()));
 
             // There is an extra arg, so values should have Count + 1 members
             return (FrameDisplay*)(this->Values[Info.Count]);