New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Nov 29

Sign in to add a comment

Issue 1665: WebKit: JSC: BytecodeGenerator::hoistSloppyModeFunctionIfNecessary doesn't invalidate the ForInContext object.

Reported by, Sep 13 Project Member

Issue description

This is simillar to  issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.

function trigger() {
    let o = {a: 1};
    for (var k in o) {
            k = 0x1234;

            function k() {




This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Comment 2 by, Nov 29

Project Member
Labels: -Restrict-View-Commit CVE-2018-4386
Status: Fixed (was: New)

Sign in to add a comment