-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…-7200,CVE-2016-7201,CVE-2016-7202,CVE-2016-7203,CVE-2016-7208,CVE-2016-7240,CVE-2016-7241,CVE-2016-7242,CVE-2016-7243 Merge pull request #1982 from suwc:build/suwc/bugfix Type confusion in Array.prototype.filter Type confusion due to reentrancy can cause a Var to be written into a native int array. Fix by making sure type-specialized code path is used only when ArraySpeciesCreate() invokes built-in Array constructor. Heap overflow in Array.prototype.splice In Array.prototype.splice, array length is cached before ArraySpeciesCreate() is invoked. Side-effect from ArraySpeciesCreate() can change array length and result in inconsistent states and possibly heap overflow. Fix by adding length check to keep cases with side effects out of fast path with pre-calculated length. Also tweak logic in ArraySpeciesCreate() to flag a non-built-in constructor with missing [@species] property. Type confusion in FillFromPrototypes In ForEachOwnMissingArrayIndexOfObject(), existing array enumeration logic assumes Var array. A native array from caller can cause type confusion and leak. Fix by converting incoming native arrays to Var arrays. Parameter type confusion in eval Extra argument signified by CallFlags_ExtraArg shall be cast to FrameDisplay unless the extra argument is used for new.target, in which case CallFlags_NewTarget is be set. Type confusion and AV occur because existing logic in eval() does not check if CallFlags_NewTarget is cleared before using extra argument as FrameDisplay. Fix by adding CallFlags_NewTarget check to eval() before cast to FrameDisplay. Type confusion in JSON.parse Non-native array is expected in JSONParser::Walk(). A native array from caller can cause type confusion and heap overflow Fix by converting native arrays to Var arrays. Type confusion in Array.prototype.concat and .splice Array newly created by ArraySpeciesCreate is not being checked if it is a JavascriptCopyOnAccessNativeIntArray, causing near-nullptr AVs. Fix by adding check-and-convert against JavascriptCopyOnAccessNativeIntArray in affected built-ins.
- Loading branch information
Showing
7 changed files
with
327 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.