Skip to content

Commit

Permalink
[1.6>master] [MERGE #3074 @suwc] Fix problems caused by late update o…
Browse files Browse the repository at this point in the history 
…f sparse segment's 'left' field

Merge pull request #3074 from suwc:build/suwc/bugfix

This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
  • Loading branch information
Suwei Chen committed Jun 1, 2017
2 parents 4bf0562 + 133d141 commit 3282057
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 15 deletions.
38 changes: 23 additions & 15 deletions lib/Runtime/Library/JavascriptArray.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2078,6 +2078,7 @@ namespace Js
limit = JavascriptArray::MaxArrayLength;
}
seg->size = min(newSize, limit - seg->left);
seg->CheckLengthvsSize();
}
}
uint32 i;
Expand Down Expand Up @@ -7653,6 +7654,8 @@ namespace Js

Assert(pArr->length <= MaxArrayLength - unshiftElements);

SparseArraySegmentBase* renumberSeg = pArr->head->next;

bool isIntArray = false;
bool isFloatArray = false;

Expand Down Expand Up @@ -7683,21 +7686,6 @@ namespace Js
}
}

if (isIntArray)
{
UnshiftHelper<int32>(pArr, unshiftElements, args.Values);
}
else if (isFloatArray)
{
UnshiftHelper<double>(pArr, unshiftElements, args.Values);
}
else
{
UnshiftHelper<Var>(pArr, unshiftElements, args.Values);
}

SparseArraySegmentBase* renumberSeg = pArr->head->next;

while (renumberSeg)
{
renumberSeg->left += unshiftElements;
Expand All @@ -7709,6 +7697,26 @@ namespace Js
renumberSeg = renumberSeg->next;
}

try
{
if (isIntArray)
{
UnshiftHelper<int32>(pArr, unshiftElements, args.Values);
}
else if (isFloatArray)
{
UnshiftHelper<double>(pArr, unshiftElements, args.Values);
}
else
{
UnshiftHelper<Var>(pArr, unshiftElements, args.Values);
}
}
catch (...)
{
Js::Throw::FatalInternalError();
}

pArr->InvalidateLastUsedSegment();
pArr->length += unshiftElements;

Expand Down
38 changes: 38 additions & 0 deletions test/Array/bug_12044876.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
//-------------------------------------------------------------------------------------------------------
// Copyright (C) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------
//switches: -forcearraybtree

// x86debug: lib\runtime\Library/JavascriptArray.inl, current->left >= lastindex
function test0() {
var arr = [4294967296];
arr[9] = 19;
arr.unshift(1, 2, {}, 4, 5, 6, 7, 8, 9, 10, 11, 12);
}

// x64debug: lib\Runtime\Library\SparseArraySegment.cpp, length <= size
function test1() {
function makeArrayLength() {
return 100;
}
var obj0 = {};
var protoObj0 = {};
var obj1 = {};
var arrObj0 = {};
var func0 = function () {
};
var func1 = function () {
};
obj0.method1 = func0;
var ary = Array();
var IntArr1 = new Array();
IntArr1[15] = ~obj1.prop0;
arrObj0.length = makeArrayLength();
IntArr1[10] = arrObj0.length;
makeArrayLength(IntArr1.unshift(func1(), ary, obj0.method1(), protoObj0, Object(), arrObj0, -1877547837));
}

test0();
test1();
console.log("Pass");
7 changes: 7 additions & 0 deletions test/Array/rlexe.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,13 @@
<files>bug_9575461.js</files>
</default>
</test>
<test>
<default>
<files>bug_12044876.js</files>
<compile-flags>-forcearraybtree</compile-flags>
<tags>BugFix</tags>
</default>
</test>
<test>
<default>
<files>array_conv_src.js</files>
Expand Down

0 comments on commit 3282057

Please sign in to comment.