Fix misused calls to BOOL JavascriptOperators::GetItem

MSRC 32922 CVE-2016-0191 CVE-2016-0186 Calls were being made to JavascriptOperators::GetItem and not checking the return value to see if the property was actually found. Some implementations of GetItem do not touch the value out parameter when returning false and so we had potential use of an uninitialized variable in the cases where the return value was not checked. These cases have been changed to use the overload of GetItem that returns undefined if the property is not found. ES6 spec says that the Has operation must be executed first (which we must follow due to Proxy trapping) before doing a Get in most of these cases. Our code assumed that if Has returned true then Get would also return true but this is no longer true now with the Proxy feature. Proxy can provide a has trap that returns true but then give no get trap leading to Has -> true, Get -> false.
chakra-core · May 12, 2016 · d21529b · d21529b
1 parent ea29437
commit d21529b
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 141 deletions.
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -10554,6 +10554,17 @@ namespace Js
         return JavascriptOperators::GetPropertyReference(instance, instance, propertyId, value, requestContext, info);
     }
 
+    Var JavascriptOperators::GetItem(RecyclableObject* instance, uint32 index, ScriptContext* requestContext)
+    {
+        Var value;
+        if (GetItem(instance, index, &value, requestContext))
+        {
+            return value;
+        }
+
+        return requestContext->GetMissingItemResult();
+    }
+
     Var JavascriptOperators::GetItem(RecyclableObject* instance, uint64 index, ScriptContext* requestContext)
     {
         Var value;

diff --git a/lib/Runtime/Language/JavascriptOperators.h b/lib/Runtime/Language/JavascriptOperators.h
@@ -224,6 +224,7 @@ namespace Js
         static BOOL HasItem(RecyclableObject* instance, uint64 index);
         static BOOL GetOwnItem(RecyclableObject* instance, uint32 index, Var* value, ScriptContext* requestContext);
         static Var GetItem(RecyclableObject* instance, uint64 index, ScriptContext* requestContext);
+        static Var GetItem(RecyclableObject* instance, uint32 index, ScriptContext* requestContext);
         static BOOL GetItem(RecyclableObject* instance, uint64 index, Var* value, ScriptContext* requestContext);
         static BOOL GetItem(RecyclableObject* instance, uint32 index, Var* value, ScriptContext* requestContext);
         static BOOL GetItem(Var instance, RecyclableObject* propertyObject, uint32 index, Var* value, ScriptContext* requestContext);