From e245029151a5ee35cdcac13567ee11a168801ba3 Mon Sep 17 00:00:00 2001
From: Anand Goyal <anagoyal@microsoft.com>
Date: Wed, 15 Apr 2020 18:58:11 -0700
Subject: [PATCH] [CVE-2020-1065] A previous MSRC fix removes the body scope of
 an enclosing function when a nested function is declared in the param scope
 of that enclosing function. This an result in us calculating incorrect
 envIndex for any symbols captured from enclosing scopes if this skipped body
 scope appears in the frameDisplay being passed to the nested function. This
 fix addresses the issue by marking the parameter scope also as
 mustInstantiate = true so we end up computing the correct envIndex. This
 problem and the fix only triggers when the enclosing function's param and
 body scopes are merged so the param and body scopes will never appear
 together in the scope stack and as such will not mess up the envIndex.

---
 lib/Runtime/ByteCode/ScopeInfo.cpp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/Runtime/ByteCode/ScopeInfo.cpp b/lib/Runtime/ByteCode/ScopeInfo.cpp
index eb64b4a411e..b0f924c9f0f 100644
--- a/lib/Runtime/ByteCode/ScopeInfo.cpp
+++ b/lib/Runtime/ByteCode/ScopeInfo.cpp
@@ -194,6 +194,23 @@ namespace Js
         ScopeInfo * scopeInfo = ScopeInfo::SaveScopeInfo(byteCodeGenerator, currentScope, byteCodeGenerator->GetScriptContext());
         if (scopeInfo != nullptr)
         {
+            if (funcInfo->root->IsDeclaredInParamScope())
+            {
+                FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo();
+                Assert(func);
+
+                if (func->IsBodyAndParamScopeMerged())
+                {
+                    Assert(currentScope == func->GetParamScope() && currentScope->GetScopeType() == ScopeType_Parameter);
+                    Assert(scopeInfo->GetScopeType() == ScopeType_Parameter);
+                    Assert(func->GetBodyScope());
+
+                    // If the current function is nested in the param scope of it's enclosing function we may have
+                    // skipped the body scope and in may not be the scope stack but the body scope might still be
+                    // in the frame display and we will need to account for it. See ByteCodeGenerateor::FindScopeForSym.
+                    scopeInfo->mustInstantiate = func->GetBodyScope()->GetMustInstantiate();
+                }
+            }
             funcInfo->byteCodeFunction->SetScopeInfo(scopeInfo);
         }
     }