From bdd48f21a93bd9dc7dd5f783b58df8bef72583c4 Mon Sep 17 00:00:00 2001
From: Chakra Automation <chakraut@microsoft.com>
Date: Fri, 7 Feb 2020 18:20:59 -0800
Subject: [PATCH] [CVE-2020-0812]

---
 lib/Runtime/Types/DeferredTypeHandler.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/Runtime/Types/DeferredTypeHandler.cpp b/lib/Runtime/Types/DeferredTypeHandler.cpp
index a3648adc637..6e4fc5647f7 100644
--- a/lib/Runtime/Types/DeferredTypeHandler.cpp
+++ b/lib/Runtime/Types/DeferredTypeHandler.cpp
@@ -31,7 +31,7 @@ namespace Js
         {
             undeferredFunctionType = functionProxy->GetUndeferredFunctionType();
         }
-        if (undeferredFunctionType && !isProto && !instance->IsCrossSiteObject())
+        if (undeferredFunctionType && !isProto && !instance->IsCrossSiteObject() && (undeferredFunctionType->GetPrototype() == instance->GetType()->GetPrototype()))
         {
             Assert(undeferredFunctionType->GetIsShared());
             Assert(!CrossSite::IsThunk(undeferredFunctionType->GetEntryPoint()));
@@ -40,9 +40,8 @@ namespace Js
         else
         {
             typeHandler->SetInstanceTypeHandler(instance);
-            if (functionProxy && !isProto && typeHandler->GetMayBecomeShared() && !CrossSite::IsThunk(instance->GetType()->GetEntryPoint()) && !PHASE_OFF1(ShareFuncTypesPhase))
+            if (functionProxy && !isProto && typeHandler->GetMayBecomeShared() && !CrossSite::IsThunk(instance->GetType()->GetEntryPoint()) && !functionProxy->GetUndeferredFunctionType() && !PHASE_OFF1(ShareFuncTypesPhase))
             {
-                Assert(!functionProxy->GetUndeferredFunctionType());
                 functionProxy->SetUndeferredFunctionType(ScriptFunction::UnsafeFromVar(instance)->GetScriptFunctionType());
                 instance->ShareType();
             }