-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JULY 2018 Security Update #5444
JULY 2018 Security Update #5444
Conversation
…ed buffer allows for semi arbitrary memory read write.
…script9.dll after closing WebBrowserControl - Internal.
… - Individual If attacker can force ServerAddDOMFastPathHelper to be called with bad arguments (e.g. using a separate OOB write vuln on the content process), then we will have an OOB read in JIT process, which leads us to lower a direct call to that OOB value.
… Intl - Google, Inc.
We have cleared the segment map before ArraySpecies. The ArraySpecies is re-entrant and once we have come back from you user code we may have constructed the segment map. This segment map is not valid anymore as we are doing splicing. Fixed this by Clearing the segment map.
… first before marshalling the last parameter to a FrameDisplay - Internal
…tializeDateTimeFormat - Google, Inc.
LGTM #Resolved |
#if ENABLE_FIXED_FIELDS | ||
this->IsInitialized = descriptor.IsInitialized; | ||
this->IsOnlyOneAccessorInitialized = descriptor.IsOnlyOneAccessorInitialized; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[CVE-2018-8291] LGTM #Resolved
{ | ||
// Setter without a getter; this is a stale entry, so ignore it | ||
continue; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[CVE-2018-8283]: LGTM #Resolved
{ | ||
JavascriptError::ThrowTypeError(scriptContext, JSERR_DetachedTypedArray); | ||
} | ||
|
||
//10. Let O be OrdinaryCreateFromConstructor(NewTarget, "%DataViewPrototype%", [[DataView]], [[ViewedArrayBuffer]], [[ByteLength]], [[ByteOffset]]). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[CVE-2018-8280] LGTM #Resolved
// is kept alive until this callback completes. Any pending timer is killed in the thread service destructor so we should not get | ||
// any new callbacks after the thread service is destroyed. | ||
AutoAddRefReleaseThreadService autoThreadServiceKeepAlive(this); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[CVE-2018-8287] LGTM #Resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -1543,7 +1536,7 @@ DEFINE_ISXLOCALEAVAILABLE(PR, uloc) | |||
} | |||
|
|||
state->SetInternalProperty( | |||
InternalPropertyIds::HiddenObject, | |||
InternalPropertyIds::CachedUNumberFormat, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CachedUNumberFormat [](start = 33, length = 19)
[CVE-2018-8298] LGTM #Resolved
@@ -283,6 +283,7 @@ DECLSPEC_GUARDIGNORE _NOINLINE intptr_t GetNonTableMethodAddress(ThreadContextI | |||
///---------------------------------------------------------------------------- | |||
intptr_t GetMethodOriginalAddress(ThreadContextInfo * context, JnHelperMethod helperMethod) | |||
{ | |||
AssertOrFailFast(helperMethod >= 0 && helperMethod < IR::JnHelperMethodCount); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AssertOrFailFast [](start = 4, length = 16)
[CVE-2018-8276] LGTM #Resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Intl change LGTM /cc @jackhorton
Merge pull request #5444 from atulkatti:servicing/1807_1.10 JULY 2018 Security Update that addresses the following issues in ChakraCore.dll: [CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]
Merge pull request #5444 from atulkatti:servicing/1807_1.10 JULY 2018 Security Update that addresses the following issues in ChakraCore.dll: [CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]
JULY 2018 Security Update that addresses the following issues in ChakraCore.dll:
[CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]