[CVE-2017-0134 CVE-2017-0137] add conversion checks after calls to Is…

…ConcatSpreadable Signed-off-by: Michael Holman <[email protected]>
chakra-core · Mar 16, 2017 · aba0507 · aba0507
1 parent f778167
commit aba0507
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -3149,7 +3149,13 @@ namespace Js
         {
             Var aItem = args[idxArg];
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
+            bool concatSpreadable = !scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() || JavascriptOperators::IsConcatSpreadable(aItem);
+            if (!JavascriptNativeIntArray::Is(pDestArray))
+            {
+                ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                return pDestArray;
+            }
+            if(!concatSpreadable)
             {
                 pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
                 idxDest = idxDest + 1;
@@ -3213,9 +3219,14 @@ namespace Js
         {
             Var aItem = args[idxArg];
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
+            bool concatSpreadable = !scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() || JavascriptOperators::IsConcatSpreadable(aItem);
+            if (!JavascriptNativeFloatArray::Is(pDestArray))
+            {
+                ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                return pDestArray;
+            }
+            if (!concatSpreadable)
             {
-
                 pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
 
                 idxDest = idxDest + 1;