[CVE-2018-8467] Edge - Chakra type confusion - Google, Inc.

chakra-core · Sep 11, 2018 · 07a72e2 · 07a72e2
1 parent 70aa49a
commit 07a72e2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -1915,6 +1915,10 @@ GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)
                 }
             }
             break;
+        case Js::TypeIds_NativeIntArray:
+        case Js::TypeIds_NativeFloatArray:
+            // Do not mark these values as definite to protect against array conversion
+            break;
         case Js::TypeIds_Array:
             // Because array can change type id, we can only make it definite if we are doing array check hoist
             // so that implicit call will be installed between the array checks.