From b488088279391deaaacfce4f0756caaefc284109 Mon Sep 17 00:00:00 2001
From: Aneesh Divakarakurup <aneeshd@microsoft.com>
Date: Fri, 1 Dec 2017 15:22:11 -0800
Subject: [PATCH] [CVE-2017-11914]
 JavascriptGeneratorFunction::GetPropertyBuiltIns exposes scriptFunction -
 Google, Inc.

While trying to get the length property pass the generator function as this not the inner script function.
---
 lib/Runtime/Library/JavascriptGeneratorFunction.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Runtime/Library/JavascriptGeneratorFunction.cpp b/lib/Runtime/Library/JavascriptGeneratorFunction.cpp
index 9f9168a1a5f..385906a5d8a 100644
--- a/lib/Runtime/Library/JavascriptGeneratorFunction.cpp
+++ b/lib/Runtime/Library/JavascriptGeneratorFunction.cpp
@@ -307,7 +307,7 @@ namespace Js
             // to get the length from our private ScriptFunction instead of ourself.
             int len = 0;
             Var varLength;
-            if (scriptFunction->GetProperty(scriptFunction, PropertyIds::length, &varLength, NULL, requestContext))
+            if (scriptFunction->GetProperty(this, PropertyIds::length, &varLength, NULL, requestContext))
             {
                 len = JavascriptConversion::ToInt32(varLength, requestContext);
             }