Trang chủ Khám phá Trợ giúp
Đăng nhập
SunnyMirror
/
ChakraCore
mirror of https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

[CVE-2017-8729] incorrect object pattern.

We are incorrectly assuming an object literal to be a pattern. Because we have one local variable when we are parsing the member short we have changed the state.
Fixed that by restoring it back.
Akrosh Gandhi 8 năm trước cách đây
mục cha
80137812bf
commit
7bbe31eb89
2 tập tin đã thay đổi với 7 bổ sung2 xóa
Split View Hiển thị tình trạng sai khác
  1. 5 0
      lib/Parser/Parse.cpp
  2. 2 2
      lib/Runtime/ByteCode/ByteCodeEmitter.cpp

+ 5 - 0
lib/Parser/Parse.cpp
Xem Tập Tin 

@@ -4500,6 +4500,9 @@ ParseNodePtr Parser::ParseMemberList(LPCOLESTR pNameHint, uint32* pNameHintLengt
 
 
                 bool couldBeObjectPattern = !isObjectPattern && m_token.tk == tkAsg;
 
 
+                // Saving the current state as we may change the isObjectPattern down below.
 
+                bool oldState = isObjectPattern;
 
+
 
                 if (couldBeObjectPattern)
 
                 {
 
                     declarationType = tkLCurly;
 
@@ -4540,6 +4543,8 @@ ParseNodePtr Parser::ParseMemberList(LPCOLESTR pNameHint, uint32* pNameHintLengt
 
                 {
 
                     pnodeArg = CreateBinNode(isObjectPattern && !couldBeObjectPattern ? knopObjectPatternMember : knopMemberShort, pnodeName, pnodeIdent);
 
                 }
 
+
 
+                isObjectPattern = oldState;
 
             }
 
             else
 
             {

+ 2 - 2
lib/Runtime/ByteCode/ByteCodeEmitter.cpp
Xem Tập Tin 

@@ -8532,7 +8532,7 @@ void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeG
 
 
     if (nameNode->nop == knopComputedName)
 
     {
 
-        Assert(memberNode->nop == knopGetMember || memberNode->nop == knopSetMember || memberNode->nop == knopMember);
 
+        AssertOrFailFast(memberNode->nop == knopGetMember || memberNode->nop == knopSetMember || memberNode->nop == knopMember);
 
 
         Js::OpCode setOp = memberNode->nop == knopGetMember ?
 
             (isClassMember ? Js::OpCode::InitClassMemberGetComputedName : Js::OpCode::InitGetElemI) :
 
@@ -8604,7 +8604,7 @@ void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeG
 
     }
 
     else
 
     {
 
-        Assert(memberNode->nop == knopGetMember || memberNode->nop == knopSetMember);
 
+        AssertOrFailFast(memberNode->nop == knopGetMember || memberNode->nop == knopSetMember);
 
 
         Js::OpCode setOp = memberNode->nop == knopGetMember ?
 
             (isClassMember ? Js::OpCode::InitClassMemberGet : Js::OpCode::InitGetFld) :