Skip to content
Permalink
Browse files

CVE-2019-0991

  • Loading branch information...
pleath committed May 15, 2019
1 parent ed6db8d commit 1caa4118796d33513bc40ce894c053a92de98abb
Showing with 29 additions and 0 deletions.
  1. +25 −0 lib/Backend/GlobOpt.cpp
  2. +4 −0 lib/Backend/GlobOpt.h
@@ -12827,6 +12827,26 @@ GlobOpt::ProcessValueKills(IR::Instr *const instr)
it.RemoveCurrent();
}
}
else if(kills.KillsObjectArraysWithNoMissingValues())
{
// Some operations may kill objects with arrays-with-no-missing-values in unlikely circumstances. Convert their value types to likely
// versions so that the checks have to be redone.
for(auto it = valuesToKillOnCalls->GetIteratorWithRemovalSupport(); it.IsValid(); it.MoveNext())
{
Value *const value = it.CurrentValue();
ValueInfo *const valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if(!valueInfo->IsArrayOrObjectWithArray() || valueInfo->IsArray() || !valueInfo->HasNoMissingValues())
{
continue;
}
ChangeValueType(nullptr, value, valueInfo->Type().ToLikely(), false);
it.RemoveCurrent();
}
}

if(kills.KillsNativeArrays())
{
@@ -13358,6 +13378,11 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
{
kills.SetKillsArrayLengths();
}

if(doArrayMissingValueCheckHoist && !(useValueTypes && arrayValueType.IsArray()))
{
kills.SetKillsObjectArraysWithNoMissingValues();
}
break;
}

@@ -317,6 +317,7 @@ class JsArrayKills
{
bool killsAllArrays : 1;
bool killsArraysWithNoMissingValues : 1;
bool killsObjectArraysWithNoMissingValues : 1;
bool killsNativeArrays : 1;
bool killsArrayHeadSegments : 1;
bool killsArrayHeadSegmentLengths : 1;
@@ -342,6 +343,9 @@ class JsArrayKills
bool KillsArraysWithNoMissingValues() const { return killsArraysWithNoMissingValues; }
void SetKillsArraysWithNoMissingValues() { killsArraysWithNoMissingValues = true; }

bool KillsObjectArraysWithNoMissingValues() const { return killsObjectArraysWithNoMissingValues; }
void SetKillsObjectArraysWithNoMissingValues() { killsObjectArraysWithNoMissingValues = true; }

bool KillsNativeArrays() const { return killsNativeArrays; }
void SetKillsNativeArrays() { killsNativeArrays = true; }

0 comments on commit 1caa411

Please sign in to comment.
You can’t perform that action at this time.