-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
17-05 ChakraCore servicing release #2959
Conversation
…Step method invocation issue While invoking then and catch functions on the promise returned by async function we were directly invoking those without checking. Overriding those methods with tagged int can cause wrong method execution.
…icit call if BailOutOnArrayAccessHelperCall is set, as that bailout kind indicates that downstream code will assume no side-effects.
Array length mutation introduced by copy-from-prototype reentrancy can cause heap overflow in concat fast paths. Fix by excluding copy-from-prototype cases from fast paths. Adjust unit tests to avoid excessively long run time.
…nt state Array segment allocation induces OOM that leaves length > size that can be exploited. Move code that updates segment size to after allocation; Replace "length <= size" Assert with AssertOrFailFast in JavascriptArray and SparseSegment; Add length vs. size check and FailFast throughout JavascriptArray and SparseSegment where segment length or size are being updated.
Segments were getting reversed in the ReverseHelper call. This made the head segment, which is an inlined segment, to be as a next segment. If that segment becomes part of another array (say due to splice) and the original array goes away then the inlined segment will also go away and we potentially holdind the freed memory. Fixed that by detecting the inlined segment and convert to normal segment in the in EntryReverse API.
Fix instances of non-blinded possibly large constants in the jit
Don't eliminate bounds checks on virtual typed arrays if we can't guarantee that the accesses will be within 4Gb
Change the vtable of virtual typed arrays to regular typed arrays upon array buffer detach to prevent writes to detached buffer in the jitted code.
…assignment expression We don't calculate correct right paren location when a lambda contains an assignment expression where the assignment rhs is wrapped in parens. Due to the incorrect offset, we overwrite the buffer allocated in ScriptFunction::EnsureSourceString when we try to toString the lambda.
…uctor parse node If there is a multi-byte character in the source before a class decl, the constructor function created for that class will have incorrect byte offset values. This leads us to truncate the source string buffer when we try to do toString on that class constructor function and accidentally print garbage. Fix is to calculate the byte offsets correctly.
LGTM in terms of 37688 and 37814. |
test/utf8/rlexe.xml
Outdated
<test> | ||
<default> | ||
<files>bugGH2656.js</files> | ||
<compile-flags>-args summary</compile-flags> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is -endargs
needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep. this test is actually failing the CI.
/cc @boingoing
Re: fix for CVE-2017-0230 |
Various CI problems in Jenkins and VSO. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My stuff looks fine.
@dotnet-bot test windows arm_release windows x64_release windows x86_release |
@dotnet-bot test Windows arm_release |
@dotnet-bot test Windows x64_release |
@dotnet-bot test Windows x86_release |
@rajatd There's a prefast warning there. |
@rajatd Note: you can re-run multiple builds from a single comment. Just added a section to the Wiki to explain: https://github.com/Microsoft/ChakraCore/wiki/Jenkins-Build-Triggers#re-run-multiple-individual-builds |
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Thanks for fixing that unit test
Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
…ng release Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
This bug was introduced chakra-core#2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
…ent's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
…f sparse segment's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
…suwc] Fix problems caused by late update of sparse segment's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced chakra-core/ChakraCore#2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
Fixes the following CVEs impacting ChakraCore:
CVE-2017-0229
CVE-2017-0223
CVE-2017-0224
CVE-2017-0252
CVE-2017-0230
CVE-2017-0234
CVE-2017-0235
CVE-2017-0236
CVE-2017-0228
CVE-2017-0238
CVE-2017-0266