From b481337f2ae6e92efd919692c6691996947f49ec Mon Sep 17 00:00:00 2001
From: Paul Leathers <pleath@microsoft.com>
Date: Wed, 20 Mar 2019 17:22:53 -0700
Subject: [PATCH] CVE-2019-0861 Chakra JIT Type Confusion 2 14 for Edge Bounty

---
 lib/Runtime/Language/JavascriptOperators.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
index 8d6d2ca0c7d..90f94b6e184 100644
--- a/lib/Runtime/Language/JavascriptOperators.cpp
+++ b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -9582,6 +9582,11 @@ using namespace Js;
 
             Var result = CALL_ENTRYPOINT(threadContext, marshalledFunction->GetEntryPoint(), function, CallInfo(flags, 2), thisVar, putValue);
             Assert(result);
+
+            // Set implicit call flags so we bail out if we're trying to propagate the stored value forward. We can't count on the getter/setter
+            // to produce the stored value on a LdFld.
+            threadContext->AddImplicitCallFlags(ImplicitCall_Accessor);
+
             return nullptr;
         });
     }