[CVE-2017-11811] Disable switch jump table opt if aggressive int type spec is disabled. We are not able to handle a non-int-type-specialized index operand on a switch table branch (today, it will cause us to read the wrong jump target and possibly read past the end of the jump table). Another option is to force type specialization of the index operand, but this seems not worth the risk as a servicing fix.

lib/Backend/GlobOpt.cpp

@@ -17122,7 +17122,7 @@ GlobOpt::IsSwitchOptEnabled(Func const * func)
 {
     Assert(func->IsTopFunc());
     return !PHASE_OFF(Js::SwitchOptPhase, func) && !func->IsSwitchOptDisabled() && !IsTypeSpecPhaseOff(func)
-        && func->DoGlobOpt() && !func->HasTry();
+        && DoAggressiveIntTypeSpec(func) && func->DoGlobOpt() && !func->HasTry();
 }
 
 bool

test/switchStatement/aggressiveintoff.js

@@ -0,0 +1,41 @@
+function opt() {
+    for (let i = 0; i < 100; i++) {
+        let j = i - 2;
+        switch (i) {
+            case 2:
+            case 4:
+            case 6:
+            case 8:
+            case 10:
+            case 12:
+            case 14:
+            case 16:
+            case 18:
+            case 20:
+            case 22:
+            case 24:
+            case 26:
+            case 28:
+            case 30:
+            case 32:
+            case 34:
+            case 36:
+            case 38:
+                break;
+        }
+
+        if (i == 90) {
+            i = 'x';
+        }
+    }
+}
+
+function main() {
+    for (let i = 0; i < 100; i++) {
+        opt();
+    }
+}
+
+main();
+
+WScript.Echo('pass');

test/switchStatement/rlexe.xml

@@ -150,4 +150,15 @@
       <files>singleCharStringCase.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>aggressiveintoff.js</files>
+    </default>
+  </test>
+  <test>
+    <default>
+      <files>aggressiveintoff.js</files>
+      <compile-flags>-off:aggressiveinttypespec</compile-flags>
+    </default>
+  </test>
 </regress-exe>