Skip to content
Permalink
Browse files

[CVE-2019-1237]

  • Loading branch information...
MikeHolman committed Jul 26, 2019
1 parent b75847e commit 31f2588c7ba5b446bccf2769e9ecf4d444b73045
Showing with 6 additions and 0 deletions.
  1. +6 −0 lib/Runtime/Library/BoundFunction.cpp
@@ -354,6 +354,12 @@ namespace Js
Var varLength;
if (targetFunction->GetProperty(targetFunction, PropertyIds::length, &varLength, nullptr, requestContext))
{
if (!TaggedInt::Is(varLength))
{
// ToInt32 conversion on non-primitive length can invalidate assumptions made by the JIT,
// so add implicit call flag if length isn't a TaggedInt already
requestContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);
}
len = JavascriptConversion::ToInt32(varLength, requestContext);
}

0 comments on commit 31f2588

Please sign in to comment.
You can’t perform that action at this time.