Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix misused calls to BOOL JavascriptOperators::GetItem
MSRC 32922 CVE-2016-0191 CVE-2016-0186 Calls were being made to JavascriptOperators::GetItem and not checking the return value to see if the property was actually found. Some implementations of GetItem do not touch the value out parameter when returning false and so we had potential use of an uninitialized variable in the cases where the return value was not checked. These cases have been changed to use the overload of GetItem that returns undefined if the property is not found. ES6 spec says that the Has operation must be executed first (which we must follow due to Proxy trapping) before doing a Get in most of these cases. Our code assumed that if Has returned true then Get would also return true but this is no longer true now with the Proxy feature. Proxy can provide a has trap that returns true but then give no get trap leading to Has -> true, Get -> false.
- Loading branch information