[CVE-2017-11919] An infoleak bug in the latest version of Edge - Qiho…

…o 360 In ConstructName the finalName is copied over from propertyName which can contain null character in between. In that case part of finalName will remain uninitialized as we use RecyclerNewArrayLeaf to allocate finalName with the length of propertyName.
chakra-core · Dec 7, 2017 · fde1643 · fde1643
1 parent b488088
commit fde1643
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/Runtime/Library/JavascriptObject.cpp b/lib/Runtime/Library/JavascriptObject.cpp
@@ -1857,7 +1857,7 @@ namespace Js
             size_t totalChars;
             if (SizeTAdd(propertyLength, ConstructNameGetSetLength, &totalChars) == S_OK)
             {
-                finalName = RecyclerNewArrayLeaf(scriptContext->GetRecycler(), char16, totalChars);
+                finalName = RecyclerNewArrayLeafZ(scriptContext->GetRecycler(), char16, totalChars);
                 Assert(finalName != nullptr);
                 const char16* propertyName = propertyRecord->GetBuffer();
                 Assert(propertyName != nullptr);