[2.0>master] [1.4>2.0] [MERGE #2834 @rajatd] 17-04 ChakraCore servici…

…ng release Merge pull request #2834 from rajatd:release/1704 Fixes the following CVEs impacting ChakraCore CVE-2017-0093 CVE-2017-0208
chakra-core · Apr 14, 2017 · 973bffb · 973bffb
2 parents 539b252 + 1bdedfa
commit 973bffb
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 7 deletions.
diff --git a/lib/Runtime/Language/AsmJsUtils.cpp b/lib/Runtime/Language/AsmJsUtils.cpp
@@ -213,7 +213,8 @@ namespace Js
 
         AsmJsModuleInfo::EnsureHeapAttached(func);
 
-        uint actualArgCount = callInfo.Count - 1; // -1 for ScriptFunction
+        ArgumentReader reader(&callInfo, origArgs);
+        uint actualArgCount = reader.Info.Count - 1; // -1 for ScriptFunction
         argDst = argDst + MachPtr; // add one first so as to skip the ScriptFunction argument
         for (ArgSlot i = 0; i < info->GetArgCount(); i++)
         {

diff --git a/lib/Runtime/Library/JavascriptString.cpp b/lib/Runtime/Library/JavascriptString.cpp
@@ -199,10 +199,10 @@ namespace Js
     }
 
     JavascriptString::JavascriptString(StaticType * type, charcount_t charLength, const char16* szValue)
-        : RecyclableObject(type), m_charLength(charLength), m_pszValue(szValue)
+        : RecyclableObject(type), m_pszValue(szValue)
     {
         Assert(type->GetTypeId() == TypeIds_String);
-        AssertMsg(IsValidCharCount(charLength), "String length is out of range");
+        SetLength(charLength);
     }
 
     _Ret_range_(m_charLength, m_charLength)
@@ -3353,7 +3353,7 @@ namespace Js
         return builder.ToString();
     }
 
-    int JavascriptString::IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position)
+    int JavascriptString::IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, int searchLen, int position)
     {
         int result = -1;
 
@@ -3400,7 +3400,7 @@ namespace Js
         return result;
     }
 
-    int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position)
+    int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position)
     {
         const char16 searchFirst = searchStr[0];
         uint32 lMatchedJump = searchLen;

diff --git a/lib/Runtime/Library/JavascriptString.h b/lib/Runtime/Library/JavascriptString.h
@@ -157,8 +157,8 @@ namespace Js
         char16* GetSzCopy();   // get a copy of the inner string without compacting the chunks
 
         static Var ToCaseCore(JavascriptString* pThis, ToCase toCase);
-        static int IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position);
-        static int LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position);
+        static int IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, int searchLen, int position);
+        static int LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position);
         static bool BuildLastCharForwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen);
         static bool BuildFirstCharBackwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen);
         static charcount_t ConvertToIndex(Var varIndex, ScriptContext *scriptContext);

diff --git a/test/AsmJs/evalbug.js b/test/AsmJs/evalbug.js
@@ -0,0 +1,18 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function asm() {
+  "use asm"
+  function f(a, b) {
+    a = a|0;
+    b = b|0;
+    return a|0;
+  }
+  return f;
+}
+
+eval = asm();
+eval("some string");
+print("PASSED");
diff --git a/test/AsmJs/rlexe.xml b/test/AsmJs/rlexe.xml
@@ -545,6 +545,11 @@
       <compile-flags>-testtrace:asmjs -forcedeferparse -simdjs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>evalbug.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>constTest.js</files>

diff --git a/test/Strings/repeatBug.js b/test/Strings/repeatBug.js
@@ -0,0 +1,21 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+try
+{
+    var str = "+".repeat(0x80000000);
+    str = str.replace(str, "+");
+
+  	WScript.Echo("FAIL: Was expecting Out of Memory exception.");
+}
+catch (e)
+{
+  if(e.number == -2146828281) //Out of Memory
+    WScript.Echo("PASS");
+  else
+    WScript.Echo("FAIL: Got the wrong exception code.");
+}
+
+
diff --git a/test/Strings/rlexe.xml b/test/Strings/rlexe.xml
@@ -248,4 +248,10 @@
       <tags>exclude_win7</tags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>repeatBug.js</files>
+      <tags>exclude_chk, Slow</tags>
+    </default>
+  </test> 
 </regress-exe>