Skip to content
Permalink
Browse files

[CVE-2019-0912]

  • Loading branch information...
MikeHolman committed Apr 17, 2019
1 parent a2deba5 commit 936a5af1c07e0fdec9aab85c05339dabe4aaeeb1
Showing with 24 additions and 7 deletions.
  1. +24 −7 lib/Backend/GlobOptFields.cpp
@@ -415,11 +415,19 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo

case Js::OpCode::InlineArrayPush:
case Js::OpCode::InlineArrayPop:
KillLiveFields(this->lengthEquivBv, bv);
if (inGlobOpt)
if(instr->m_func->GetThisOrParentInlinerHasArguments())
{
// Deleting an item, or pushing a property to a non-array, may change object layout
KillAllObjectTypes(bv);
this->KillAllFields(bv);
this->SetAnyPropertyMayBeWrittenTo();
}
else
{
KillLiveFields(this->lengthEquivBv, bv);
if (inGlobOpt)
{
// Deleting an item, or pushing a property to a non-array, may change object layout
KillAllObjectTypes(bv);
}
}
break;

@@ -444,14 +452,23 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
// Kill length field for built-ins that can update it.
if (nullptr != this->lengthEquivBv)
{
KillLiveFields(this->lengthEquivBv, bv);
// If has arguments, all fields are killed in fall through
if (!instr->m_func->GetThisOrParentInlinerHasArguments())
{
KillLiveFields(this->lengthEquivBv, bv);
}
}
// fall through

case IR::JnHelperMethod::HelperArray_Reverse:
// Deleting an item may change object layout
if (inGlobOpt)
if (instr->m_func->GetThisOrParentInlinerHasArguments())
{
this->KillAllFields(bv);
this->SetAnyPropertyMayBeWrittenTo();
}
else if (inGlobOpt)
{
// Deleting an item may change object layout
KillAllObjectTypes(bv);
}
break;

0 comments on commit 936a5af

Please sign in to comment.
You can’t perform that action at this time.