From 985a82f224e1f55c6b312ce487a43b5d69f37161 Mon Sep 17 00:00:00 2001 From: Atul Katti Date: Wed, 13 Dec 2017 09:02:46 -0800 Subject: [PATCH] [CVE-2018-0768] Use of PropertyString and SubString,GetString() could lead to UAF - Individual --- lib/Runtime/Library/WebAssemblyModule.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/Runtime/Library/WebAssemblyModule.cpp b/lib/Runtime/Library/WebAssemblyModule.cpp index 1fbea12d2cf..0468f658542 100644 --- a/lib/Runtime/Library/WebAssemblyModule.cpp +++ b/lib/Runtime/Library/WebAssemblyModule.cpp @@ -175,8 +175,14 @@ Var WebAssemblyModule::EntryCustomSections(RecyclableObject* function, CallInfo WebAssemblyModule * module = WebAssemblyModule::FromVar(args[1]); Var customSections = nullptr; + // C++ compiler optimizations can optimize away the sectionName variable while still keeping a reference to the underlying + // character buffer sectionNameBuf. The character buffer itself is managed by the recycler; however; we may move past the + // start of the character buffer while doing the comparison in memcmp. If a GC happens during CreateArrayBuffer, the character + // buffer can get collected as we don't have a reference to the start of the buffer on the stack anymore. To avoid this we need + // to pin sectionName. ENTER_PINNED_SCOPE(JavascriptString, sectionName); sectionName = JavascriptConversion::ToString(sectionNameVar, scriptContext); + const char16* sectionNameBuf = sectionName->GetString(); charcount_t sectionNameLength = sectionName->GetLength();