ChakraCore fix for servicing release 18-02B: CVE-2018-0860

chakra-core · Feb 13, 2018 · 9dac38f · 9dac38f
1 parent 6f4265c
commit 9dac38f
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/lib/Runtime/Base/ThreadContext.h b/lib/Runtime/Base/ThreadContext.h
@@ -1588,10 +1588,6 @@ class ThreadContext sealed :
     template <class Fn>
     inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
     {
-        // For now, we will not allow Function that is marked as HasNoSideEffect to be called, and we will just bailout.
-        // These function may still throw exceptions, so we will need to add checks with RecordImplicitException
-        // so that we don't throw exception when disableImplicitCall is set before we allow these function to be called
-        // as an optimization.  (These functions are valueOf and toString calls for built-in non primitive types)
 
         Js::FunctionInfo::Attributes attributes = Js::FunctionInfo::GetAttributes(function);
 
@@ -1601,7 +1597,16 @@ class ThreadContext sealed :
         {
             // Has no side effect means the function does not change global value or
             // will check for implicit call flags
-            return implicitCall();
+            Js::Var result = implicitCall();
+
+            // If the value is on stack we need to bailout so that it can be boxed.
+            // Instead of putting this in valueOf (or other builtins which have no side effect) adding
+            // the check here to cover any other scenario we might miss.
+            if (IsOnStack(result))
+            {
+                AddImplicitCallFlags(flags);
+            }
+            return result;
         }
 
         // Don't call the implicit call if disable implicit call
@@ -1617,7 +1622,16 @@ class ThreadContext sealed :
         {
             // Has no side effect means the function does not change global value or
             // will check for implicit call flags
-            return implicitCall();
+            Js::Var result = implicitCall();
+
+            // If the value is on stack we need to bailout so that it can be boxed.
+            // Instead of putting this in valueOf (or other builtins which have no side effect) adding
+            // the check here to cover any other scenario we might miss.
+            if (IsOnStack(result))
+            {
+                AddImplicitCallFlags(flags);
+            }
+            return result;
         }
 
         // Save and restore implicit flags around the implicit call