CVE-2019-0861 Chakra JIT Type Confusion 2 14 for Edge Bounty

chakra-core · Apr 8, 2019 · b481337 · b481337
1 parent 9a9ece6
commit b481337
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -9582,6 +9582,11 @@ using namespace Js;
 
             Var result = CALL_ENTRYPOINT(threadContext, marshalledFunction->GetEntryPoint(), function, CallInfo(flags, 2), thisVar, putValue);
             Assert(result);
+
+            // Set implicit call flags so we bail out if we're trying to propagate the stored value forward. We can't count on the getter/setter
+            // to produce the stored value on a LdFld.
+            threadContext->AddImplicitCallFlags(ImplicitCall_Accessor);
+
             return nullptr;
         });
     }