17-09 ChakraCore servicing release#3727
Merged
Merged
Conversation
…rvative) fix for this issue relied on marking scopes as containing 'with'. But because block scopes are created lazily, we can miss the opportunity to mark a scope. Instead, implementing a more accurate fix that marks symbols that are referenced from within 'with' statements as needing scope objects if they are closure-captured.
Author
|
@dotnet-bot |
suwc
force-pushed
the
build/suwc/1709B
branch
3 times, most recently
from
a117ce1 to
f89700e
Compare
…bjectDictionary type
This is the case where array's length is bigger than head segment's length. Fixed that by putting proper check.
We are incorrectly assuming an object literal to be a pattern. Because we have one local variable when we are parsing the member short we have changed the state. Fixed that by restoring it back.
In ReverseHelper call to ReallocateNonLeafLastSegmentIfLeaf can throw which leaves the lastUsedSegment wrongly pointed to the unlinked segment. Fixed that by putting AutoFailFast error.
The peephole optimizer fails to invalidate both arguments to XCHG instructions, which can lead subsequent passes (notably copy propagation) to refer to the XCHG op's second arg, assuming it will get that register's original value. Fixed that by invalidating both arguments.
…expression symbol is captured If a split scope happens because of the function expression being captured then the param scope may not have any locals in closure as the function expression symbol belongs to the function expression scope. In this case we don't have to instantiate the param scope in split scope.
We used this memcpy to put the references on the stack so that the GC wouldn't free them; the compiler figured out that it could take the memcpy and the stack buffer out completely (by spec). Actually passing it around fixes this issue.
CustomExternalObjects can override the enumeration operations to have side effects. In such a case, an object can be passed to an invocation of JSON::Stringify, leading to stack values being used inappropriately.
suwc
force-pushed
the
build/suwc/1709B
branch
from
f89700e to
545bd32
Compare
chakrabot
pushed a commit
that referenced
this pull request
Sep 14, 2017
Merge pull request #3727 from suwc:build/suwc/1709B [CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion [CVE-2017-8748] Fix UAF caused by GC during bailout [CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured [CVE-2017-8756] JIT peephole optimization error [CVE-2017-8753] Array Reverse OOM RCE [CVE-2017-8729] incorrect object pattern. [CVE-2017-8739] buffer overread IsMissingItem. [CVE-2017-8751]Type confusion casting undefined with TypeOfPrototypeObjectDictionary type [CVE-2017-8757]RCE on Windows Insider Preview [CVE-2017-11764]Parser::ParseCatch doesn't handle "eval" [CVE-2017-8660] Uninitialized local variables [CVE-2017-8755] Fail fast if we can't reparse asm.js module after linking failure [CVE-2017-8649] Bytecode tempering mitigation code accidently turned off - Internal [CVE-2017-8740] Fix bad byte code gen for 'with'. [CVE-2017-8752]fix missing bound check in asm.js in case of constant negative index
chakrabot
pushed a commit
that referenced
this pull request
Sep 14, 2017
Merge pull request #3727 from suwc:build/suwc/1709B [CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion [CVE-2017-8748] Fix UAF caused by GC during bailout [CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured [CVE-2017-8756] JIT peephole optimization error [CVE-2017-8753] Array Reverse OOM RCE [CVE-2017-8729] incorrect object pattern. [CVE-2017-8739] buffer overread IsMissingItem. [CVE-2017-8751]Type confusion casting undefined with TypeOfPrototypeObjectDictionary type [CVE-2017-8757]RCE on Windows Insider Preview [CVE-2017-11764]Parser::ParseCatch doesn't handle "eval" [CVE-2017-8660] Uninitialized local variables [CVE-2017-8755] Fail fast if we can't reparse asm.js module after linking failure [CVE-2017-8649] Bytecode tempering mitigation code accidently turned off - Internal [CVE-2017-8740] Fix bad byte code gen for 'with'. [CVE-2017-8752]fix missing bound check in asm.js in case of constant negative index
chakrabot
pushed a commit
that referenced
this pull request
Sep 14, 2017
… release Merge pull request #3727 from suwc:build/suwc/1709B [CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion [CVE-2017-8748] Fix UAF caused by GC during bailout [CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured [CVE-2017-8756] JIT peephole optimization error [CVE-2017-8753] Array Reverse OOM RCE [CVE-2017-8729] incorrect object pattern. [CVE-2017-8739] buffer overread IsMissingItem. [CVE-2017-8751]Type confusion casting undefined with TypeOfPrototypeObjectDictionary type [CVE-2017-8757]RCE on Windows Insider Preview [CVE-2017-11764]Parser::ParseCatch doesn't handle "eval" [CVE-2017-8660] Uninitialized local variables [CVE-2017-8755] Fail fast if we can't reparse asm.js module after linking failure [CVE-2017-8649] Bytecode tempering mitigation code accidently turned off - Internal [CVE-2017-8740] Fix bad byte code gen for 'with'. [CVE-2017-8752]fix missing bound check in asm.js in case of constant negative index
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion
[CVE-2017-8748] Fix UAF caused by GC during bailout
[CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured
[CVE-2017-8756] JIT peephole optimization error
[CVE-2017-8753] Array Reverse OOM RCE
[CVE-2017-8729] incorrect object pattern.
[CVE-2017-8739] buffer overread IsMissingItem.
[CVE-2017-8751]Type confusion casting undefined with TypeOfPrototypeObjectDictionary type
[CVE-2017-8757]RCE on Windows Insider Preview
[CVE-2017-11764]Parser::ParseCatch doesn't handle "eval"
[CVE-2017-8660] Uninitialized local variables
[CVE-2017-8755] Fail fast if we can't reparse asm.js module after linking failure
[CVE-2017-8649] Bytecode tempering mitigation code accidently turned off - Internal
[CVE-2017-8740] Fix bad byte code gen for 'with'.
[CVE-2017-8752]fix missing bound check in asm.js in case of constant negative index