Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses

EDB-ID: 42766
Author: Google Security Research
Published: 2017-09-21
CVE: CVE-2017-8755
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327 

Here's the method used to re-parse asmjs modules.
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
{
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
Assert(functionInfo);
functionInfo->GetFunctionBody()->AddDeferParseAttribute();
functionInfo->GetFunctionBody()->ResetEntryPoint();
functionInfo->GetFunctionBody()->ResetInParams();

FunctionBody * funcBody = functionInfo->Parse(functionRef);

#if ENABLE_PROFILE_INFO
// This is the first call to the function, ensure dynamic profile info
funcBody->EnsureDynamicProfileInfo();
Related Posts