CVE-2019-0539, CVE-2019-0567 Edge - Chakra: JIT: Type confusion via N…

…ewScObjectNoCtor or InitProto - Google, Inc.
chakra-core · Jan 7, 2019 · 788f17b · 788f17b
1 parent d73c5f1
commit 788f17b
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -456,6 +456,15 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
         }
         break;
 
+    case Js::OpCode::InitClass:
+    case Js::OpCode::InitProto:
+    case Js::OpCode::NewScObjectNoCtor:
+        if (inGlobOpt)
+        {
+            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+        }
+        break;
+
     default:
         if (instr->UsesAllFields())
         {