[CVE-2018-0891] RegExp.lastMatch memory disclosure - Google, Inc.

While updating the lastInput, we have caused the .match function to be called which made the regexp
data to be invalid. Fixed that by Ensuring again in-case the reset flag is set or not.

lib/Runtime/Library/JavascriptRegExpConstructor.cpp

@@ -355,8 +355,12 @@ namespace Js
         case PropertyIds::input:
         case PropertyIds::$_:
             //TODO: review: although the 'input' property is marked as readonly, it has a set on V5.8. There is no spec on this.
-            EnsureValues(); // The last match info relies on the last input. Use it before it is changed.
-            this->lastInput = JavascriptConversion::ToString(value, this->GetScriptContext());
+            {
+                auto tempInput = JavascriptConversion::ToString(value, this->GetScriptContext());
+                // Above toString call can cause user code to be called, which may call .match to invalidate our state, ensure that we have proper values in case that happens.
+                EnsureValues();  // The last match info relies on the last input. Use it before it is changed.
+                this->lastInput = tempInput;
+            }
             *result = true;
             return true;
         case PropertyIds::lastMatch:

lib/Runtime/Library/SubString.cpp

@@ -33,7 +33,7 @@ namespace Js
 
         Recycler* recycler = scriptContext->GetRecycler();
 
-        Assert(string->GetLength() >= start + length);
+        AssertOrFailFast(string->GetLength() >= start + length);
         const char16 * subString = string->GetString() + start;
         void const * originalFullStringReference = string->GetOriginalStringReference();