Skip to content

Commit

Permalink
[CVE-2017-11909] JIT: BackwardPass::RemoveEmptyLoopAfterMemOp doesn't…
Browse files Browse the repository at this point in the history
… insert branches / make break control flow - Google, Inc.
  • Loading branch information
Cellule authored and MikeHolman committed Dec 7, 2017
1 parent 1e7fa7b commit 0e4566a
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions lib/Backend/BackwardPass.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -7853,6 +7853,14 @@ BackwardPass::RemoveEmptyLoopAfterMemOp(Loop *loop)

outerBlock->RemovePred(head, this->func->m_fg);
landingPad->RemoveSucc(head, this->func->m_fg);
Assert(landingPad->GetSuccList()->Count() == 0);

IR::Instr* firstOuterInstr = outerBlock->GetFirstInstr();
AssertOrFailFast(firstOuterInstr->IsLabelInstr() && !landingPad->GetLastInstr()->EndsBasicBlock());
IR::LabelInstr* label = firstOuterInstr->AsLabelInstr();
// Add br to Outer block to keep coherence between branches and flow graph
IR::BranchInstr *outerBr = IR::BranchInstr::New(Js::OpCode::Br, label, this->func);
landingPad->InsertAfter(outerBr);
this->func->m_fg->AddEdge(landingPad, outerBlock);

this->func->m_fg->RemoveBlock(head, nullptr);
Expand Down

0 comments on commit 0e4566a

Please # to comment.