[CVE-2017-8741]: Limit JSON Stringify Loop to Initialized Portion

Penguinwizzard · Suwei Chen · commit 9870b0988c88 · 2017-09-14T10:29:06.000-07:00
CustomExternalObjects can override the enumeration operations to
have side effects. In such a case, an object can be passed to an
invocation of JSON::Stringify, leading to stack values being used
inappropriately.
diff --git a/lib/Runtime/Library/JSON.cpp b/lib/Runtime/Library/JSON.cpp
@@ -708,7 +708,8 @@ namespace JSON
                             }
 
                             // walk the property name list
-                            for (uint k = 0; k < precisePropertyCount; k++)
+                            // Note that we're only walking up to index, not precisePropertyCount, as we only know that we've filled the array up to index
+                            for (uint k = 0; k < index; k++)
                             {
                                 propertyName = Js::JavascriptString::FromVar(nameTable[k]);
                                 scriptContext->GetOrAddPropertyRecord(propertyName->GetString(), propertyName->GetLength(), &propRecord);

Original file line number	Diff line number	Diff line change
`@@ -708,7 +708,8 @@ namespace JSON`
`708`	`708`	`}`
`709`	`709`
`710`	`710`	`// walk the property name list`
`711`		`- for (uint k = 0; k < precisePropertyCount; k++)`
	`711`	`+ // Note that we're only walking up to index, not precisePropertyCount, as we only know that we've filled the array up to index`
	`712`	`+ for (uint k = 0; k < index; k++)`
`712`	`713`	`{`
`713`	`714`	`propertyName = Js::JavascriptString::FromVar(nameTable[k]);`
`714`	`715`	`scriptContext->GetOrAddPropertyRecord(propertyName->GetString(), propertyName->GetLength(), &propRecord);`