[CVE-2017-0134 CVE-2017-0137] add conversion checks after calls to IsConcatSpreadable

MikeHolman · MikeHolman · commit aba05079c1cb · 2017-03-16T15:35:53.000-07:00
Signed-off-by: Michael Holman &lt;Michael.Holman@microsoft.com&gt;
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -3149,7 +3149,13 @@ namespace Js
         {
             Var aItem = args[idxArg];
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
+            bool concatSpreadable = !scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() || JavascriptOperators::IsConcatSpreadable(aItem);
+            if (!JavascriptNativeIntArray::Is(pDestArray))
+            {
+                ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                return pDestArray;
+            }
+            if(!concatSpreadable)
             {
                 pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
                 idxDest = idxDest + 1;
@@ -3213,9 +3219,14 @@ namespace Js
         {
             Var aItem = args[idxArg];
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
+            bool concatSpreadable = !scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() || JavascriptOperators::IsConcatSpreadable(aItem);
+            if (!JavascriptNativeFloatArray::Is(pDestArray))
+            {
+                ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                return pDestArray;
+            }
+            if (!concatSpreadable)
             {
-
                 pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
 
                 idxDest = idxDest + 1;
