[CVE-2017-11846] [ChakraCore]- Chakra Array.Shift Heap Overflow RCE -…

… Qihoo 360 OOM in the Array.Shift method have left the array in the bad state and later it got overlapped and exploited. Fixed that by making the any exception as failfast in that region
chakra-core · Nov 14, 2017 · 3f8cc2d · 3f8cc2d
1 parent 85d42e7
commit 3f8cc2d
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -5825,6 +5825,8 @@ namespace Js
             {
                 isFloatArray = true;
             }
+            // Code below has potential to throw due to OOM or SO. Just FailFast on those cases
+            AutoDisableInterrupt failFastOnError(scriptContext->GetThreadContext());
 
             if (pArr->head->length != 0)
             {
@@ -5884,6 +5886,8 @@ namespace Js
             {
                 ShiftHelper<Var>(pArr, scriptContext);
             }
+
+            failFastOnError.Completed();
         }
         else
         {