From 0e4566a4c394cb69834719704a05aa17101ae3f5 Mon Sep 17 00:00:00 2001 From: Michael Ferris Date: Thu, 26 Oct 2017 15:51:55 -0700 Subject: [PATCH] [CVE-2017-11909] JIT: BackwardPass::RemoveEmptyLoopAfterMemOp doesn't insert branches / make break control flow - Google, Inc. --- lib/Backend/BackwardPass.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp index 7b83fcbda92..4193f4a19d3 100644 --- a/lib/Backend/BackwardPass.cpp +++ b/lib/Backend/BackwardPass.cpp @@ -7853,6 +7853,14 @@ BackwardPass::RemoveEmptyLoopAfterMemOp(Loop *loop) outerBlock->RemovePred(head, this->func->m_fg); landingPad->RemoveSucc(head, this->func->m_fg); + Assert(landingPad->GetSuccList()->Count() == 0); + + IR::Instr* firstOuterInstr = outerBlock->GetFirstInstr(); + AssertOrFailFast(firstOuterInstr->IsLabelInstr() && !landingPad->GetLastInstr()->EndsBasicBlock()); + IR::LabelInstr* label = firstOuterInstr->AsLabelInstr(); + // Add br to Outer block to keep coherence between branches and flow graph + IR::BranchInstr *outerBr = IR::BranchInstr::New(Js::OpCode::Br, label, this->func); + landingPad->InsertAfter(outerBr); this->func->m_fg->AddEdge(landingPad, outerBlock); this->func->m_fg->RemoveBlock(head, nullptr);