From 8d21cde342a4e826d96eb4ac85241f876b879aed Mon Sep 17 00:00:00 2001
From: Akrosh Gandhi <akroshg@microsoft.com>
Date: Wed, 14 Nov 2018 11:46:00 -0800
Subject: [PATCH] CVE-2018-8583 Edge - Chakra JIT OOB 9 13 leads to RCE

In the loop range check we emit add instruction to add 1 to the range. That can overflow. We did't have overflow bailout over there.
Fixed that by adding bailout over there.
---
 lib/Backend/GlobOptIntBounds.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/Backend/GlobOptIntBounds.cpp b/lib/Backend/GlobOptIntBounds.cpp
index 58cd0148af7..5136013b1dc 100644
--- a/lib/Backend/GlobOptIntBounds.cpp
+++ b/lib/Backend/GlobOptIntBounds.cpp
@@ -1822,11 +1822,16 @@ void GlobOpt::GenerateLoopCountPlusOne(Loop *const loop, LoopCount *const loopCo
         IR::RegOpnd *loopCountOpnd = IR::RegOpnd::New(type, func);
         IR::RegOpnd *minusOneOpnd = IR::RegOpnd::New(loopCount->LoopCountMinusOneSym(), type, func);
         minusOneOpnd->SetIsJITOptimizedReg(true);
-        insertBeforeInstr->InsertBefore(IR::Instr::New(Js::OpCode::Add_I4,
-                                                       loopCountOpnd,
-                                                       minusOneOpnd,
-                                                       IR::IntConstOpnd::New(1, type, func, true),
-                                                       func));
+        IR::Instr* incrInstr = IR::Instr::New(Js::OpCode::Add_I4,
+            loopCountOpnd,
+            minusOneOpnd,
+            IR::IntConstOpnd::New(1, type, func, true),
+            func);
+
+        insertBeforeInstr->InsertBefore(incrInstr);
+
+        // Incrementing to 1 can overflow - add a bounds check bailout here
+        incrInstr->ConvertToBailOutInstr(bailOutInfo, IR::BailOutOnFailedHoistedLoopCountBasedBoundCheck);
         loopCount->SetLoopCountSym(loopCountOpnd->GetStackSym());
     }
 }