[CVE-2017-8524] Force addition of a data slot to the property descriptor when a global let/const property is added and a same-named global getter/setter already exists.

lib/Runtime/Types/DictionaryPropertyDescriptor.h

@@ -154,6 +154,10 @@ namespace Js
         if (this->IsAccessor)
         {
             Assert(this->Data == NoSlots);
+            if (addingLetConstGlobal)
+            {
+                this->Data = nextPropertyIndex++;
+            }
         }
         else if (addingLetConstGlobal)
         {
@@ -165,7 +169,7 @@ namespace Js
             this->Getter = nextPropertyIndex++;
         }
         this->Attributes |= PropertyLetConstGlobal;
-        Assert(GetDataPropertyIndex<false>() != NoSlots);
+        Assert((addingLetConstGlobal ? GetDataPropertyIndex<true>() : GetDataPropertyIndex<false>()) != NoSlots);
     }
 
     template <typename TPropertyIndex>

test/LetConst/rlexe.xml

@@ -379,4 +379,9 @@
       <compile-flags>-args summary -endargs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>shadowedsetter.js</files>
+    </default>
+  </test>
 </regress-exe>

test/LetConst/shadowedsetter.js

@@ -0,0 +1,13 @@
+evaluate = WScript.LoadScript;
+
+__defineSetter__("x", function () { });
+
+evaluate(`
+  let x = 'let';
+  Object.defineProperty(this, "x", { value:
+          0xdec0  })
+  if (x === 'let' && this.x === 57024)
+  {
+    WScript.Echo('pass');
+  }
+`);