Skip to content
Permalink
Browse files

[CVE-2019-1092] Chakra JIT OOB R/W

  • Loading branch information...
MikeHolman authored and atulkatti committed Jun 4, 2019
1 parent 362e965 commit d4e767fb946128c135d77edda7a794561e1c1f06
Showing with 8 additions and 6 deletions.
  1. +7 −5 lib/Backend/GlobOptBlockData.cpp
  2. +1 −1 lib/Backend/GlobOptBlockData.h
@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(
fromDataValueInfo->AsArrayValueInfo(),
fromDataSym,
symsRequiringCompensation,
symsCreatedForMerge);
symsCreatedForMerge,
isLoopBackEdge);
}

// Consider: If both values are VarConstantValueInfo with the same value, we could
@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
const ArrayValueInfo *const fromDataValueInfo,
Sym *const arraySym,
BVSparse<JitArenaAllocator> *const symsRequiringCompensation,
BVSparse<JitArenaAllocator> *const symsCreatedForMerge)
BVSparse<JitArenaAllocator> *const symsCreatedForMerge,
bool isLoopBackEdge)
{
Assert(mergedValueType.IsAnyOptimizedArray());
Assert(toDataValueInfo);
@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
}
else
{
if (!this->globOpt->IsLoopPrePass())
if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
{
// Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.
Assert(symsRequiringCompensation);
@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
}
else
{
if (!this->globOpt->IsLoopPrePass())
if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
{
Assert(symsRequiringCompensation);
symsRequiringCompensation->Set(arraySym->m_id);
@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
}
else
{
if (!this->globOpt->IsLoopPrePass())
if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
{
Assert(symsRequiringCompensation);
symsRequiringCompensation->Set(arraySym->m_id);
@@ -264,7 +264,7 @@ class GlobOptBlockData
Value * MergeValues(Value *toDataValue, Value *fromDataValue, Sym *fromDataSym, bool isLoopBackEdge, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
ValueInfo * MergeValueInfo(Value *toDataVal, Value *fromDataVal, Sym *fromDataSym, bool isLoopBackEdge, bool sameValueNumber, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
JsTypeValueInfo * MergeJsTypeValueInfo(JsTypeValueInfo * toValueInfo, JsTypeValueInfo * fromValueInfo, bool isLoopBackEdge, bool sameValueNumber);
ValueInfo * MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
ValueInfo * MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge, bool isLoopBackEdge);

// Argument Tracking
public:

0 comments on commit d4e767f

Please sign in to comment.
You can’t perform that action at this time.