[CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion

Penguinwizzard · Suwei Chen · commit 9870b0988c88 · 2017-09-14T10:29:06.000-07:00
CustomExternalObjects can override the enumeration operations to
have side effects. In such a case, an object can be passed to an
invocation of JSON::Stringify, leading to stack values being used
inappropriately.
diff --git a/lib/Runtime/Library/JSON.cpp b/lib/Runtime/Library/JSON.cpp
@@ -708,7 +708,8 @@ namespace JSON
                             }
 
                             // walk the property name list
-                            for (uint k = 0; k < precisePropertyCount; k++)
+                            // Note that we're only walking up to index, not precisePropertyCount, as we only know that we've filled the array up to index
+                            for (uint k = 0; k < index; k++)
                             {
                                 propertyName = Js::JavascriptString::FromVar(nameTable[k]);
                                 scriptContext->GetOrAddPropertyRecord(propertyName->GetString(), propertyName->GetLength(), &propRecord);
