[CVE-2017-11862] [ChakraCore] Type confusion in module exports - Indi…

…vidual Export was not taking care of destructuring nodes, leading to type confusion. Fixed that by adding support for walking those nodes.
chakra-core · Nov 14, 2017 · 66d733b · 66d733b
1 parent 3f8cc2d
commit 66d733b
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/lib/Parser/Parse.cpp b/lib/Parser/Parse.cpp
@@ -2505,7 +2505,7 @@ ModuleImportOrExportEntry* Parser::AddModuleImportOrExportEntry(ModuleImportOrEx
 
 void Parser::AddModuleLocalExportEntry(ParseNodePtr varDeclNode)
 {
-    Assert(varDeclNode->nop == knopVarDecl || varDeclNode->nop == knopLetDecl || varDeclNode->nop == knopConstDecl);
+    AssertOrFailFast(varDeclNode->nop == knopVarDecl || varDeclNode->nop == knopLetDecl || varDeclNode->nop == knopConstDecl);
 
     IdentPtr localName = varDeclNode->sxVar.pid;
     varDeclNode->sxVar.sym->SetIsModuleExportStorage(true);
@@ -3014,15 +3014,19 @@ ParseNodePtr Parser::ParseExportDeclaration(bool *needTerminator)
 
             if (buildAST)
             {
-                ParseNodePtr temp = pnode;
-                while (temp->nop == knopList)
-                {
-                    ParseNodePtr varDeclNode = temp->sxBin.pnode1;
-                    temp = temp->sxBin.pnode2;
-
-                    AddModuleLocalExportEntry(varDeclNode);
-                }
-                AddModuleLocalExportEntry(temp);
+                ForEachItemInList(pnode, [&](ParseNodePtr item) {
+                    if (item->nop == knopAsg)
+                    {
+                        Parser::MapBindIdentifier(item, [&](ParseNodePtr subItem)
+                        {
+                            AddModuleLocalExportEntry(subItem);
+                        });
+                    }
+                    else
+                    {
+                        AddModuleLocalExportEntry(item);
+                    }
+                });
             }
         }
         break;
@@ -12966,6 +12970,7 @@ ParseNodePtr Parser::ParseDestructuredInitializer(ParseNodePtr lhsNode,
         pnodeDestructAsg = CreateNodeWithScanner<knopAsg>();
         pnodeDestructAsg->sxBin.pnode1 = lhsNode;
         pnodeDestructAsg->sxBin.pnode2 = pnodeDefault;
+        pnodeDestructAsg->sxBin.pnodeNext = nullptr;
         pnodeDestructAsg->ichMin = lhsNode->ichMin;
         pnodeDestructAsg->ichLim = pnodeDefault->ichLim;
     }