ChakraCore fix for servicing release 18-02B: CVE-2018-0838

chakra-core · Feb 13, 2018 · f82e7b4 · f82e7b4
1 parent 043257b
commit f82e7b4
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -15417,6 +15417,29 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
             }
             break;
         }            
+
+        case Js::OpCode::InitClass:
+            Assert(instr->GetSrc1());
+            if (instr->GetSrc2() == nullptr)
+            {
+                // No extends operand, so the InitClass will not make something into a prototype
+                break;
+            }
+
+            if(doNativeArrayTypeSpec)
+            {
+                // Class/object construction can make something a prototype
+                kills.SetKillsNativeArrays();
+            }
+            break;
+
+        case Js::OpCode::NewScObjectNoCtor:
+            if(doNativeArrayTypeSpec)
+            {
+                // Class/object construction can make something a prototype
+                kills.SetKillsNativeArrays();
+            }
+            break;
     }
 
     return kills;