WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)

Here's a snippet of DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry. void flushInlineStackEntry inlineStackEntry ... if mgraph.needsScopeRegister flushmcodeBlock-scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of...

WebKit JSC - DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) Incorrect Scope Register Handling

WebKit JSC - DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry Incorrect Scope Register Handling scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase...

WebKit JSC Incorrect Scope Register Handling

WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry CVE-2017-7018 Here's a snippet of DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry. void flushInlineStackEntry inlineStackEntry ... if mgraph.needsScopeRegister...

WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling

scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase. PoC: -- function f function eval'1'; f; ; throw 1; f;...