Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion

EDB-ID: 45215
Author: Google Security Research
Published: 2018-08-17
CVE: CVE-2018-8291
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: Type Confusion
Vulnerable App: N/A

 /* 
 Here's the method. 
     template <typename TPropertyIndex> 
     template <typename TPropertyIndexFrom> 
     void DictionaryPropertyDescriptor<TPropertyIndex>::CopyFrom(DictionaryPropertyDescriptor<TPropertyIndexFrom>& descriptor) 
     { 
         this->Attributes = descriptor.Attributes; 
         this->Data = (descriptor.Data == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Data; 
         this->Getter = (descriptor.Getter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Getter; 
         this->Setter = (descriptor.Setter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Setter; 
         this->IsAccessor = descriptor.IsAccessor; 
  
 #if ENABLE_FIXED_FIELDS 
         this->IsInitialized = descriptor.IsInitialized; 
         this->IsFixed = descriptor.IsFixed; 
         this->UsedAsFixed = descriptor.UsedAsFixed;