From b03a96112fb05158a040caba88919cd70648f09f Mon Sep 17 00:00:00 2001 From: Paul Leathers Date: Wed, 20 Mar 2019 17:42:09 -0700 Subject: [PATCH] CVE-2019-0829 Edge - Chakra JIT Type Confusion (case38) - --- lib/Runtime/Library/JavascriptRegExpConstructor.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/Runtime/Library/JavascriptRegExpConstructor.cpp b/lib/Runtime/Library/JavascriptRegExpConstructor.cpp index e1d347bea80..2be484895a6 100644 --- a/lib/Runtime/Library/JavascriptRegExpConstructor.cpp +++ b/lib/Runtime/Library/JavascriptRegExpConstructor.cpp @@ -360,6 +360,10 @@ namespace Js EnsureValues(); // The last match info relies on the last input. Use it before it is changed. this->lastInput = tempInput; } + + // Set implicit call flags since we are not necessarily making the original stored value available on re-load + // and are killing the store that backs two exposed properties. + this->GetScriptContext()->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor); *result = true; return true; case PropertyIds::lastMatch: