Inicio Explorar Axuda
Iniciar sesión
SunnyMirror
/
ChakraCore
réplica de https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

[CVE-2018-8500] RCE after cleanup of jitted entry points

Paul Leathers %!s(int64=7) %!d(string=hai) anos
pai
f8aa306d59
achega
cd84a0b85b
Modificáronse 2 ficheiros con 5 adicións e 3 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 1 1
      lib/Runtime/Base/FunctionBody.cpp
  2. 4 2
      lib/Runtime/Base/FunctionBody.h

+ 1 - 1
lib/Runtime/Base/FunctionBody.cpp
Ver ficheiro 

@@ -2105,7 +2105,7 @@ namespace Js
 
     {
 
         FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();
 
 
-        Assert(functionType != deferredPrototypeType);
 
+        Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);
 
         Recycler * recycler = this->GetScriptContext()->GetRecycler();
 
         FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);
 
         typeList->SetAtFirstFreeSpot(weakRef);

+ 4 - 2
lib/Runtime/Base/FunctionBody.h
Ver ficheiro 

@@ -1088,8 +1088,10 @@ namespace Js
 
             {
 
                 func(this->deferredPrototypeType);
 
             }
 
-            // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list
 
-            // of registered function object types we processed above.
 
+            if (this->undeferredFunctionType)
 
+            {
 
+                func(this->undeferredFunctionType);
 
+            }
 
         }
 
 
         static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }