Skip to content

Commit dd61e04

Browse files
MikeHolmanMikeHolman
committed
[CVE-2017-0150] DeferDeserialize is not working properly with asm.js ChangeHeap
1 parent aba0507 commit dd61e04

4 files changed

Lines changed: 11 additions & 6 deletions

File tree

lib/Runtime/ByteCode/FuncInfo.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ FuncInfo::FuncInfo(
1313
Js::ParseableFunctionInfo* byteCodeFunction)
1414
: alloc(alloc),
1515
varRegsCount(0),
16-
constRegsCount(2),
16+
constRegsCount(InitialConstRegsCount),
1717
inArgsCount(0),
1818
innerScopeCount(0),
1919
currentInnerScopeIndex((uint)-1),

lib/Runtime/ByteCode/FuncInfo.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,8 @@ class FuncInfo
8383
uint nextForInLoopLevel;
8484
uint maxForInLoopLevel;
8585
public:
86+
static const Js::RegSlot InitialConstRegsCount = 2; // constRegsCount is set to 2 because R0 is the return register, and R1 is the root object
87+
8688
ArenaAllocator *alloc;
8789
// set in Bind/Assign pass
8890
Js::RegSlot varRegsCount; // number of registers used for non-constants
@@ -192,7 +194,6 @@ class FuncInfo
192194
Symbol *innerArgumentsSymbol;
193195
JsUtil::List<Js::RegSlot, ArenaAllocator> nonUserNonTempRegistersToInitialize;
194196

195-
// constRegsCount is set to 2 because R0 is the return register, and R1 is the root object.
196197
FuncInfo(
197198
const char16 *name,
198199
ArenaAllocator *alloc,

lib/Runtime/Language/AsmJsByteCodeGenerator.cpp

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3324,6 +3324,8 @@ namespace Js
33243324
byteCodeGen->Writer()->EndStatement(functionNode);
33253325
byteCodeGen->Writer()->End();
33263326

3327+
functionBody->CheckAndSetConstantCount(FuncInfo::InitialConstRegsCount);
3328+
33273329
autoCleanup.Done();
33283330
}
33293331

lib/Runtime/Language/InterpreterStackFrame.cpp

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2772,16 +2772,18 @@ namespace Js
27722772

27732773
AsmJsScriptFunction* scriptFuncObj = (AsmJsScriptFunction*)ScriptFunction::OP_NewScFunc(pDisplay, functionInfo);
27742774
localModuleFunctions[modFunc.location] = scriptFuncObj;
2775+
2776+
if (scriptFuncObj->GetDynamicType()->GetEntryPoint() == DefaultDeferredDeserializeThunk)
2777+
{
2778+
JavascriptFunction::DeferredDeserialize(scriptFuncObj);
2779+
}
2780+
27752781
if (i == 0 && info->GetUsesChangeHeap())
27762782
{
27772783
scriptFuncObj->GetDynamicType()->SetEntryPoint(AsmJsChangeHeapBuffer);
27782784
}
27792785
else
27802786
{
2781-
if (scriptFuncObj->GetDynamicType()->GetEntryPoint() == DefaultDeferredDeserializeThunk)
2782-
{
2783-
JavascriptFunction::DeferredDeserialize(scriptFuncObj);
2784-
}
27852787
scriptFuncObj->GetDynamicType()->SetEntryPoint(AsmJsExternalEntryPoint);
27862788
scriptFuncObj->GetFunctionBody()->GetAsmJsFunctionInfo()->SetModuleFunctionBody(asmJsModuleFunctionBody);
27872789
}

0 commit comments

Comments
 (0)