[CVE-2018-8177] Edge - Speculative type confusion on PropertyString

Re-order PropertyString poisoning code
chakra-core · May 8, 2018 · eb4b00b · eb4b00b
1 parent 23848b1
commit eb4b00b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/Backend/Lower.cpp b/lib/Backend/Lower.cpp
@@ -15260,13 +15260,14 @@ Lowerer::GenerateFastElemIStringIndexCommon(IR::Instr * instrInsert, bool isStor
         IR::IndirOpnd::New(indexOpnd, 0, TyMachPtr, m_func),
         LoadVTableValueOpnd(instrInsert, VTableValue::VtablePropertyString),
         Js::OpCode::BrNeq_A, notPropStrLabel, instrInsert);
-    InsertBranch(Js::OpCode::Br, propStrLoadedLabel, instrInsert);
 
     if (!isStore)
     {
         InsertObjectPoison(indexOpnd, branchInstr, instrInsert);
     }
 
+    InsertBranch(Js::OpCode::Br, propStrLoadedLabel, instrInsert);
+
     instrInsert->InsertBefore(notPropStrLabel);
 
     branchInstr = InsertCompareBranch(