Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion

Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.

MD5 | 5bdea5cae9762e60edfaa8a268f78dbb

Download

Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper 

CVE-2018-8384


Here's a snippet of PathTypeHandlerBase::SetAttributesHelper.

PathTypeHandlerBase *predTypeHandler = this;
DynamicType *currentType = instance->GetDynamicType();
while (predTypeHandler->GetPathLength() > propertyIndex)
{
    currentType = predTypeHandler->GetPredecessorType();
    if (currentType == nullptr)
    {
#ifdef PROFILE_TYPES
        instance->GetScriptContext()->convertPathToDictionaryNoRootCount++;