Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion

Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.


MD5 | 5bdea5cae9762e60edfaa8a268f78dbb

Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper 

CVE-2018-8384


Here's a snippet of PathTypeHandlerBase::SetAttributesHelper.

PathTypeHandlerBase *predTypeHandler = this;
DynamicType *currentType = instance->GetDynamicType();
while (predTypeHandler->GetPathLength() > propertyIndex)
{
currentType = predTypeHandler->GetPredecessorType();
if (currentType == nullptr)
{
#ifdef PROFILE_TYPES
instance->GetScriptContext()->convertPathToDictionaryNoRootCount++;
Related Posts