Skip to content
Permalink
Browse files

[CVE-2019-0911]

  • Loading branch information...
MikeHolman committed Apr 17, 2019
1 parent 32ca10f commit a2deba5e1850782014a2a34678464b251e448337
Showing with 7 additions and 0 deletions.
  1. +4 −0 lib/Runtime/Library/ES5Array.cpp
  2. +3 −0 lib/Runtime/Library/JavascriptArray.cpp
@@ -148,6 +148,10 @@ namespace Js
{
JavascriptError::ThrowRangeError(scriptContext, JSERR_ArrayLengthAssignIncorrect);
}

// Conversion can change the type (e.g. from String), invalidating assumptions made by the JIT
scriptContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);

return newLen;
}
}
@@ -2930,6 +2930,9 @@ using namespace Js;
double dblValue = JavascriptConversion::ToNumber(newLength, scriptContext);
if (dblValue == uintValue)
{
// Conversion can change the type (e.g. from String), invalidating assumptions made by the JIT
scriptContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);

this->SetLength(uintValue);
}
else

0 comments on commit a2deba5

Please sign in to comment.
You can’t perform that action at this time.