Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

17-03 ChakraCore servicing release #2697

Merged
merged 23 commits into from
Mar 16, 2017

Commits on Mar 16, 2017

  1. [CVE-2017-0094] Type confusion in JavascriptProxy::SetPropertyTrap wh…

    …en using a Symbol
    
    When setting a property trap with JavascriptProxy::SetPropertyTrap using a symbol as a property id, we incorrectly assume that JavascriptProxy::GetName returns a PropertyString. The case for a JavascriptSymbol is unhandled, and we do a static cast leading to type confusion. Fix is to handle any cases other than PropertyString by using nullptr, as is the convention elsewhere.
    tcare authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    7061486 View commit details
    Browse the repository at this point in the history
  2. Add test for proxy type confusion

    tcare authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    c30253b View commit details
    Browse the repository at this point in the history
  3. [CVE-2017-0071] Handle conversion of src operand on store to a typed …

    …array if the bailout kind tells us to bail out on helper calls.
    pleath authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    ff21352 View commit details
    Browse the repository at this point in the history
  4. Check for post-lower opcodes earlier than normal.

    This change promotes several asserts to failfasts, and adds two additional ones,
    in order to ensure that no post-lower opcodes are added earlier than the lowerer
    phase, either by being added to the incoming bytecode buffer, or by corrupting a
    part of the IR during the earlier phases of the JIT.
    Penguinwizzard authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    bf4ef6c View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    80cfdbb View commit details
    Browse the repository at this point in the history
  6. Configuration menu
    Copy the full SHA
    f778167 View commit details
    Browse the repository at this point in the history
  7. [CVE-2017-0134 CVE-2017-0137] add conversion checks after calls to Is…

    …ConcatSpreadable
    
    Signed-off-by: Michael Holman <Michael.Holman@microsoft.com>
    MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    aba0507 View commit details
    Browse the repository at this point in the history
  8. Configuration menu
    Copy the full SHA
    dd61e04 View commit details
    Browse the repository at this point in the history
  9. Configuration menu
    Copy the full SHA
    1750d47 View commit details
    Browse the repository at this point in the history
  10. Configuration menu
    Copy the full SHA
    94993f2 View commit details
    Browse the repository at this point in the history
  11. Configuration menu
    Copy the full SHA
    e701fc7 View commit details
    Browse the repository at this point in the history
  12. Configuration menu
    Copy the full SHA
    70e23dc View commit details
    Browse the repository at this point in the history
  13. Configuration menu
    Copy the full SHA
    f1a8c50 View commit details
    Browse the repository at this point in the history
  14. Configuration menu
    Copy the full SHA
    720bacd View commit details
    Browse the repository at this point in the history
  15. [CVE-2017-0035] Asm.Js: Assign function number in order using interna…

    …l list instead of parse node index.
    Cellule authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    b7854cd View commit details
    Browse the repository at this point in the history
  16. [CVE-2017-0028] Fix binding of 'async' identifier in the presence of …

    …async arrow function.
    pleath authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    402f3d9 View commit details
    Browse the repository at this point in the history
  17. Configuration menu
    Copy the full SHA
    fb08c4d View commit details
    Browse the repository at this point in the history
  18. Configuration menu
    Copy the full SHA
    db504eb View commit details
    Browse the repository at this point in the history
  19. Configuration menu
    Copy the full SHA
    05af363 View commit details
    Browse the repository at this point in the history
  20. [CVE-2017-0196] Fixing an heap overread during slice.

    The MissingItem check is happening on the array in a loop. It is possible that we get called into script and that mutates the array. So the Array's head is newly created with length.
    However the loop is still performing over the old length.
    Fixed this by checking the length In IsMissingItem function.
    Added a unittest.
    akroshg authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    065b797 View commit details
    Browse the repository at this point in the history
  21. Configuration menu
    Copy the full SHA
    b75b9e8 View commit details
    Browse the repository at this point in the history
  22. [CVE-2017-0152] MSFT: 10592731 : Issue with Function name capturing i…

    …n param scope
    
    In a function expression with name, where the name is captured in one
    of the param scope functions, if there is a function or var declaration
    with the same name as the function expression name we were marking the
    function expression name as shadowed. In non-eval case this causes
    issue because the name symbol won't get added to the body. This change is to
    fix it in such a way if the name is captured in the param scope then we
    split the param and body scope such that the name symbol is added to the
    param scope not body scope.
    aneeshdk authored and MikeHolman committed Mar 16, 2017
    Configuration menu
    Copy the full SHA
    9da0194 View commit details
    Browse the repository at this point in the history
  23. Configuration menu
    Copy the full SHA
    cd6f65b View commit details
    Browse the repository at this point in the history