From 599553009146f8e0d3a93e8b183c13c49d09481f Mon Sep 17 00:00:00 2001
From: chakrabot <chakrabot@users.noreply.github.com>
Date: Thu, 1 Jun 2017 03:41:39 -0700
Subject: [PATCH] [Merge Microsoft/Chakracore@3282057f4d] [1.6>master] [MERGE
 #3074 @suwc] Fix problems caused by late update of sparse segment's 'left'
 field

Merge pull request #3074 from suwc:build/suwc/bugfix

This bug was introduced https://github.com/Microsoft/ChakraCore/pull/2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
---
 .../lib/Runtime/Library/JavascriptArray.cpp   | 38 +++++++++++--------
 .../core/test/Array/bug_12044876.js           | 38 +++++++++++++++++++
 deps/chakrashim/core/test/Array/rlexe.xml     |  7 ++++
 3 files changed, 68 insertions(+), 15 deletions(-)
 create mode 100644 deps/chakrashim/core/test/Array/bug_12044876.js

diff --git a/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp b/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp
index 83c6185bca8..b6e4d610ec0 100644
--- a/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp
+++ b/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp
@@ -2078,6 +2078,7 @@ namespace Js
                         limit = JavascriptArray::MaxArrayLength;
                     }
                     seg->size = min(newSize, limit - seg->left);
+                    seg->CheckLengthvsSize();
                 }
             }
             uint32 i;
@@ -7653,6 +7654,8 @@ namespace Js
 
                 Assert(pArr->length <= MaxArrayLength - unshiftElements);
 
+                SparseArraySegmentBase* renumberSeg = pArr->head->next;
+
                 bool isIntArray = false;
                 bool isFloatArray = false;
 
@@ -7683,21 +7686,6 @@ namespace Js
                     }
                 }
 
-                if (isIntArray)
-                {
-                    UnshiftHelper<int32>(pArr, unshiftElements, args.Values);
-                }
-                else if (isFloatArray)
-                {
-                    UnshiftHelper<double>(pArr, unshiftElements, args.Values);
-                }
-                else
-                {
-                    UnshiftHelper<Var>(pArr, unshiftElements, args.Values);
-                }
-
-                SparseArraySegmentBase* renumberSeg = pArr->head->next;
-
                 while (renumberSeg)
                 {
                     renumberSeg->left += unshiftElements;
@@ -7709,6 +7697,26 @@ namespace Js
                     renumberSeg = renumberSeg->next;
                 }
 
+                try
+                {
+                    if (isIntArray)
+                    {
+                        UnshiftHelper<int32>(pArr, unshiftElements, args.Values);
+                    }
+                    else if (isFloatArray)
+                    {
+                        UnshiftHelper<double>(pArr, unshiftElements, args.Values);
+                    }
+                    else
+                    {
+                        UnshiftHelper<Var>(pArr, unshiftElements, args.Values);
+                    }
+                }
+                catch (...)
+                {
+                    Js::Throw::FatalInternalError();
+                }
+
                 pArr->InvalidateLastUsedSegment();
                 pArr->length += unshiftElements;
 
diff --git a/deps/chakrashim/core/test/Array/bug_12044876.js b/deps/chakrashim/core/test/Array/bug_12044876.js
new file mode 100644
index 00000000000..cce7a59e4ae
--- /dev/null
+++ b/deps/chakrashim/core/test/Array/bug_12044876.js
@@ -0,0 +1,38 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+//switches: -forcearraybtree
+
+// x86debug: lib\runtime\Library/JavascriptArray.inl, current->left >= lastindex
+function test0() {
+    var arr = [4294967296];
+    arr[9] = 19;
+    arr.unshift(1, 2, {}, 4, 5, 6, 7, 8, 9, 10, 11, 12);
+}
+
+// x64debug: lib\Runtime\Library\SparseArraySegment.cpp, length <= size
+function test1() {
+    function makeArrayLength() {
+      return 100;
+    }
+    var obj0 = {};
+    var protoObj0 = {};
+    var obj1 = {};
+    var arrObj0 = {};
+    var func0 = function () {
+    };
+    var func1 = function () {
+    };
+    obj0.method1 = func0;
+    var ary = Array();
+    var IntArr1 = new Array();
+    IntArr1[15] = ~obj1.prop0;
+    arrObj0.length = makeArrayLength();
+    IntArr1[10] = arrObj0.length;
+    makeArrayLength(IntArr1.unshift(func1(), ary, obj0.method1(), protoObj0, Object(), arrObj0, -1877547837));
+}
+
+test0();
+test1();
+console.log("Pass");
diff --git a/deps/chakrashim/core/test/Array/rlexe.xml b/deps/chakrashim/core/test/Array/rlexe.xml
index 1326bf40cf2..0449ebae3ce 100644
--- a/deps/chakrashim/core/test/Array/rlexe.xml
+++ b/deps/chakrashim/core/test/Array/rlexe.xml
@@ -732,6 +732,13 @@
       <files>bug_9575461.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_12044876.js</files>
+        <compile-flags>-forcearraybtree</compile-flags>
+        <tags>BugFix</tags>
+    </default>
+  </test>
   <test>
     <default>
       <files>array_conv_src.js</files>