From a5d6be626305671166f21db359c1c06a3a372b8b Mon Sep 17 00:00:00 2001
From: Michael Holman <michhol@microsoft.com>
Date: Mon, 13 Nov 2017 17:02:54 -0800
Subject: [PATCH] [CVE-2017-11911] OOB read in asm.js - Google, Inc.

---
 lib/Runtime/Language/AsmJsModule.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/Runtime/Language/AsmJsModule.cpp b/lib/Runtime/Language/AsmJsModule.cpp
index fc5fb150de5..6a64fcf1e36 100644
--- a/lib/Runtime/Language/AsmJsModule.cpp
+++ b/lib/Runtime/Language/AsmJsModule.cpp
@@ -839,6 +839,7 @@ namespace Js
         AsmJsSIMDValue simdValue;
         simdValue.Zero();
         // define all variables
+        BVSparse<ArenaAllocator> initializerBV(&mAllocator);
         while (pnode->nop == knopList)
         {
             ParseNode * varNode = ParserWrapper::GetBinaryLeft(pnode);
@@ -932,6 +933,12 @@ namespace Js
                 {
                     return Fail(decl, _u("Failed to define var"));
                 }
+                // If we are declaring a var that we previously used in an initializer, that value will be undefined
+                // so we need to throw an error.
+                if (initializerBV.Test(var->GetName()->GetPropertyId()))
+                {
+                    return Fail(decl, _u("Cannot declare a var after using it in an initializer"));
+                }
                 RegSlot loc = Constants::NoRegister;
                 if (pnodeInit->nop == knopInt)
                 {
@@ -970,6 +977,7 @@ namespace Js
                     if (declSym->GetSymbolType() == AsmJsSymbol::Variable)
                     {
                         AsmJsVar * definition = declSym->Cast<AsmJsVar>();
+                        initializerBV.Set(definition->GetName()->GetPropertyId());
                         switch (definition->GetVarType().which())
                         {
                         case AsmJsVarType::Double: