Skip to content
Permalink
Browse files

[CVE-2019-0917]

  • Loading branch information...
pleath authored and MikeHolman committed Apr 17, 2019
1 parent 9725847 commit b5f8fad1b00087bd0a24cc173c2dfedc4f8aee33
Showing with 4 additions and 3 deletions.
  1. +2 −2 lib/Backend/IRBuilder.cpp
  2. +2 −1 lib/Runtime/Language/ValueType.cpp
@@ -1758,7 +1758,7 @@ IRBuilder::BuildReg1(Js::OpCode newOpcode, uint32 offset, Js::RegSlot R0)
}

case Js::OpCode::NewScObjectSimple:
dstValueType = ValueType::GetObject(ObjectType::Object);
dstValueType = ValueType::GetObject(ObjectType::UninitializedObject);
// fall-through
case Js::OpCode::LdFuncExpr:
m_func->DisableCanDoInlineArgOpt();
@@ -5050,7 +5050,7 @@ IRBuilder::BuildAuxiliary(Js::OpCode newOpcode, uint32 offset)
// lower take it from there...
srcOpnd = IR::IntConstOpnd::New(auxInsn->Offset, TyUint32, m_func);
dstOpnd = this->BuildDstOpnd(dstRegSlot);
dstOpnd->SetValueType(ValueType::GetObject(ObjectType::Object));
dstOpnd->SetValueType(ValueType::GetObject(ObjectType::UninitializedObject));
instr = IR::Instr::New(newOpcode, dstOpnd, srcOpnd, m_func);

// Because we're going to be making decisions based off the value, we have to defer
@@ -577,7 +577,8 @@ bool ValueType::IsNotArrayOrObjectWithArray() const
{
return
IsNotObject() ||
(IsObject() && GetObjectType() != ObjectType::ObjectWithArray && GetObjectType() != ObjectType::Array);
(IsObject() && GetObjectType() != ObjectType::ObjectWithArray && GetObjectType() != ObjectType::Array
&& GetObjectType() != ObjectType::UninitializedObject && GetObjectType() != ObjectType::Object);
}

bool ValueType::IsNativeArray() const

0 comments on commit b5f8fad

Please sign in to comment.
You can’t perform that action at this time.