Skip to content

Commit ff9067e

Browse files
Ian Hallidayagarwal-sandeep
Ian Halliday
authored and
agarwal-sandeep
committed
Chakra Assert : sym->HasScopeSlot()
CVE-2016-3202 A let/const bug exposes a bad array indexing operation during bytecode emit. A symbol can fail to get a location due to this bug but then the location is used to offset into an array assuming it is always valid. Fix the array offset issue by performing a bounds check and throwing FatalInternalError if an out of bounds access would occur.
1 parent 3b9dc1a commit ff9067e

1 file changed

Lines changed: 16 additions & 6 deletions

File tree

lib/Runtime/ByteCode/ByteCodeEmitter.cpp

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1799,37 +1799,47 @@ void ByteCodeGenerator::InitScopeSlotArray(FuncInfo * funcInfo)
17991799
propertyIdsForScopeSlotArray[i] = Js::Constants::NoProperty;
18001800
}
18011801
#endif
1802+
auto setPropertyIdForScopeSlotArray =
1803+
[scopeSlotCount, propertyIdsForScopeSlotArray]
1804+
(Js::PropertyId slot, Js::PropertyId propId)
1805+
{
1806+
if (slot < 0 || (uint)slot >= scopeSlotCount)
1807+
{
1808+
Js::Throw::FatalInternalError();
1809+
}
1810+
propertyIdsForScopeSlotArray[slot] = propId;
1811+
};
18021812

1803-
auto setPropIdsForScopeSlotArray = [funcInfo, propertyIdsForScopeSlotArray](Symbol *const sym)
1813+
auto setPropIdsForScopeSlotArray = [funcInfo, setPropertyIdForScopeSlotArray](Symbol *const sym)
18041814
{
18051815
if (sym->NeedsSlotAlloc(funcInfo))
18061816
{
18071817
// All properties should get correct propertyId here.
18081818
Assert(sym->HasScopeSlot()); // We can't allocate scope slot now. Any symbol needing scope slot must have allocated it before this point.
1809-
propertyIdsForScopeSlotArray[sym->GetScopeSlot()] = sym->EnsurePosition(funcInfo);
1819+
setPropertyIdForScopeSlotArray(sym->GetScopeSlot(), sym->EnsurePosition(funcInfo));
18101820
}
18111821
};
18121822

18131823
funcInfo->GetBodyScope()->ForEachSymbol(setPropIdsForScopeSlotArray);
18141824

18151825
if (funcInfo->thisScopeSlot != Js::Constants::NoRegister)
18161826
{
1817-
propertyIdsForScopeSlotArray[funcInfo->thisScopeSlot] = Js::PropertyIds::_lexicalThisSlotSymbol;
1827+
setPropertyIdForScopeSlotArray(funcInfo->thisScopeSlot, Js::PropertyIds::_lexicalThisSlotSymbol);
18181828
}
18191829

18201830
if (funcInfo->newTargetScopeSlot != Js::Constants::NoRegister)
18211831
{
1822-
propertyIdsForScopeSlotArray[funcInfo->newTargetScopeSlot] = Js::PropertyIds::_lexicalNewTargetSymbol;
1832+
setPropertyIdForScopeSlotArray(funcInfo->newTargetScopeSlot, Js::PropertyIds::_lexicalNewTargetSymbol);
18231833
}
18241834

18251835
if (funcInfo->superScopeSlot != Js::Constants::NoRegister)
18261836
{
1827-
propertyIdsForScopeSlotArray[funcInfo->superScopeSlot] = Js::PropertyIds::_superReferenceSymbol;
1837+
setPropertyIdForScopeSlotArray(funcInfo->superScopeSlot, Js::PropertyIds::_superReferenceSymbol);
18281838
}
18291839

18301840
if (funcInfo->superCtorScopeSlot != Js::Constants::NoRegister)
18311841
{
1832-
propertyIdsForScopeSlotArray[funcInfo->superCtorScopeSlot] = Js::PropertyIds::_superCtorReferenceSymbol;
1842+
setPropertyIdForScopeSlotArray(funcInfo->superCtorScopeSlot, Js::PropertyIds::_superCtorReferenceSymbol);
18331843
}
18341844

18351845
#if DEBUG

0 commit comments

Comments
 (0)