From e035a2db081cd4f385732e3ac5665ef087954825 Mon Sep 17 00:00:00 2001 From: Paul Leathers Date: Thu, 26 Jul 2018 11:12:31 -0700 Subject: [PATCH] [CVE-2018-8459] Edge - ChakraCore Type Confusion Vulnerability - --- lib/Runtime/Types/PathTypeHandler.cpp | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/lib/Runtime/Types/PathTypeHandler.cpp b/lib/Runtime/Types/PathTypeHandler.cpp index 74e81f88f15..9293902ded0 100644 --- a/lib/Runtime/Types/PathTypeHandler.cpp +++ b/lib/Runtime/Types/PathTypeHandler.cpp @@ -2563,8 +2563,9 @@ namespace Js Assert(IsObjectHeaderInlinedTypeHandler()); // Clone the type Path here to evolve separately + Recycler * recycler = library->GetRecycler(); uint16 pathLength = GetPathLength(); - TypePath * clonedPath = TypePath::New(library->GetRecycler(), pathLength); + TypePath * clonedPath = TypePath::New(recycler, pathLength); ObjectSlotAttributes *attributes = this->GetAttributeArray(); for (PropertyIndex i = 0; i < pathLength; i++) @@ -2597,12 +2598,29 @@ namespace Js } else { + uint8 newTypePathSize = clonedPath->GetPathSize(); + + ObjectSlotAttributes * newAttributes = RecyclerNewArrayLeaf(recycler, ObjectSlotAttributes, newTypePathSize); + memcpy(newAttributes, attributes, sizeof(ObjectSlotAttributes) * newTypePathSize); + + PathTypeSetterSlotIndex * setters = GetSetterSlots(); + PathTypeSetterSlotIndex * newSetters; + if (setters == nullptr) + { + newSetters = nullptr; + } + else + { + newSetters = RecyclerNewArrayLeaf(recycler, PathTypeSetterSlotIndex, newTypePathSize); + memcpy(newSetters, setters, sizeof(PathTypeSetterSlotIndex) * newTypePathSize); + } + clonedTypeHandler = PathTypeHandlerWithAttr::New( library->GetScriptContext(), clonedPath, - attributes, - GetSetterSlots(), + newAttributes, + newSetters, GetSetterCount(), GetPathLength(), static_cast(GetSlotCapacity()),