[1.10>1.11] [MERGE #5688 @MikeHolman] September 2018 Security Update
Merge pull request #5688 from MikeHolman:servicing/1809
September 2018 Security Update that addresses the following issues in ChakraCore:
CVE-2018-8315
CVE-2018-8354
CVE-2018-8367
CVE-2018-8452
CVE-2018-8456
CVE-2018-8459
CVE-2018-8465
CVE-2018-8466
CVE-2018-8467
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
index 5ad2491..1cac385 100644
--- a/Build/NuGet/.pack-version
+++ b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.10.2
+1.11.0
diff --git a/Build/NuGet/Microsoft.ChakraCore.nuspec b/Build/NuGet/Microsoft.ChakraCore.nuspec
index bb5955a..27c5c21 100644
--- a/Build/NuGet/Microsoft.ChakraCore.nuspec
+++ b/Build/NuGet/Microsoft.ChakraCore.nuspec
@@ -4,7 +4,7 @@
<id>Microsoft.ChakraCore</id>
<!-- Note: actual version number is overridden by the NuGet package creation command. -->
<version>$version$</version>
- <authors>Chakra Team</authors>
+ <authors>Microsoft</authors>
<owners>Chakra Team</owners>
<licenseUrl>https://github.com/Microsoft/ChakraCore/blob/master/LICENSE.txt</licenseUrl>
<projectUrl>https://github.com/Microsoft/ChakraCore</projectUrl>
@@ -12,7 +12,7 @@
<developmentDependency>true</developmentDependency>
<description>ChakraCore is the core part of the Chakra Javascript engine that powers Microsoft Edge.</description>
<releaseNotes>https://github.com/Microsoft/ChakraCore/wiki/Roadmap#release-notes</releaseNotes>
- <copyright>Copyright (C) 2016 Microsoft</copyright>
+ <copyright>© Microsoft Corporation. All rights reserved.</copyright>
<language>en-US</language>
<tags>Chakra,ChakraCore,javascript,js,ecmascript,compiler,platform,oss,opensource,native</tags>
<dependencies>
diff --git a/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec b/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
index 079a4b9..1a9961b 100644
--- a/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
+++ b/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
@@ -4,7 +4,7 @@
<id>Microsoft.ChakraCore.vc140</id>
<!-- Note: actual version number is overridden by the NuGet package creation command. -->
<version>$version$</version>
- <authors>Chakra Team</authors>
+ <authors>Microsoft</authors>
<owners>Chakra Team</owners>
<licenseUrl>https://github.com/Microsoft/ChakraCore/blob/master/LICENSE.txt</licenseUrl>
<projectUrl>https://github.com/Microsoft/ChakraCore</projectUrl>
@@ -12,7 +12,7 @@
<developmentDependency>true</developmentDependency>
<description>ChakraCore is the core part of the Chakra Javascript engine that powers Microsoft Edge.</description>
<releaseNotes>https://github.com/Microsoft/ChakraCore/wiki/Roadmap#release-notes</releaseNotes>
- <copyright>Copyright (C) 2016 Microsoft</copyright>
+ <copyright>© Microsoft Corporation. All rights reserved.</copyright>
<language>en-US</language>
<tags>Chakra,ChakraCore,javascript,js,ecmascript,compiler,platform,oss,opensource,native,nativepackage,C++,vc140</tags>
</metadata>
diff --git a/build.sh b/build.sh
index e07e941..746666a 100755
--- a/build.sh
+++ b/build.sh
@@ -546,7 +546,7 @@
fi
# check clang version (min required 3.7)
-VERSION=$($CLANG_PATH --version | grep "version [0-9]*\.[0-9]*" --o -i | grep "[0-9]\.[0-9]*" --o)
+VERSION=$($CLANG_PATH --version | grep "version [0-9]*\.[0-9]*" --o -i | grep "[0-9]*\.[0-9]*" --o)
VERSION=${VERSION/./}
if [[ $VERSION -lt 37 ]]; then
diff --git a/lib/Backend/CodeGenWorkItem.h b/lib/Backend/CodeGenWorkItem.h
index 8ec2453..9a02508 100644
--- a/lib/Backend/CodeGenWorkItem.h
+++ b/lib/Backend/CodeGenWorkItem.h
@@ -213,12 +213,11 @@ struct JsFunctionCodeGen sealed : public CodeGenWorkItem
{
const WCHAR* name = functionBody->GetExternalDisplayName();
size_t nameSizeInChars = wcslen(name) + 1;
- size_t sizeInBytes = nameSizeInChars * sizeof(WCHAR);
- if(displayName == NULL || sizeInChars < nameSizeInChars)
+ if (displayName == NULL || sizeInChars < nameSizeInChars)
{
- return nameSizeInChars;
+ return nameSizeInChars;
}
- js_wmemcpy_s(displayName, sizeInChars, name, sizeInBytes);
+ js_wmemcpy_s(displayName, nameSizeInChars, name, nameSizeInChars);
return nameSizeInChars;
}
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
index 3daf687..2432fcb 100644
--- a/lib/Common/ChakraCoreVersion.h
+++ b/lib/Common/ChakraCoreVersion.h
@@ -16,8 +16,8 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
-#define CHAKRA_CORE_MINOR_VERSION 10
-#define CHAKRA_CORE_PATCH_VERSION 2
+#define CHAKRA_CORE_MINOR_VERSION 11
+#define CHAKRA_CORE_PATCH_VERSION 0
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
// -------------
diff --git a/lib/Common/DataStructures/QuickSort.h b/lib/Common/DataStructures/QuickSort.h
index 2a38ac2..497a9fa 100644
--- a/lib/Common/DataStructures/QuickSort.h
+++ b/lib/Common/DataStructures/QuickSort.h
@@ -244,9 +244,12 @@ namespace JsUtil
const size_t pivot = (nmemb - 1) * size;
// make last element the median(pivot)
CCQ_SWAP(base + pivot, base + ((nmemb / 2) * size), size);
+
// standard qsort pt. below
- for (size_t i = 0; i < pivot; i+= size)
+ size_t i = 0;
+ for (; i < nmemb / 2 * size; i+= size)
{
+ // During the first half, count equal values as below the pivot
if (comparer(context, base + i, base + pivot) <= 0)
{
CCQ_SWAP(base + i, base + (pos * size), size);
@@ -254,14 +257,19 @@ namespace JsUtil
}
}
+ for (; i < pivot; i+= size)
+ {
+ // During the second half, count equal values as above the pivot
+ if (comparer(context, base + i, base + pivot) < 0)
+ {
+ CCQ_SWAP(base + i, base + (pos * size), size);
+ pos++;
+ }
+ }
+
// issue the last change
CCQ_SWAP(base + (pos * size), base + pivot, size);
- if (pos >= nmemb - 1)
- {
- return; // looks like it was either all sorted OR nothing to sort
- }
-
Sort(base, pos++, size, comparer, context);
Sort(base + (pos * size), nmemb - pos, size, comparer, context);
}
diff --git a/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h b/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
index 461e84e..3c6cf1f 100644
--- a/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
+++ b/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
@@ -3,7 +3,8 @@
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------
// NOTE: If there is a merge conflict the correct fix is to make a new GUID.
+// This file was generated with tools\update_bytecode_version.ps1
-// {18949169-1B93-4123-B34A-F42F1C1EAF9A}
+// {BAE0C525-F1E9-4DCF-AF50-C70ACB3E4A7F}
const GUID byteCodeCacheReleaseFileVersion =
-{ 0x18949169, 0x1B93, 0x4123, { 0xB3, 0x4A, 0xF4, 0x2F, 0x1C, 0x1E, 0xAF, 0x9A } };
+{ 0xBAE0C525, 0xF1E9, 0x4DCF, { 0xAF, 0x50, 0xC7, 0x0A, 0xCB, 0x3E, 0x4A, 0x7F } };
diff --git a/test/Array/array_qsortr_random.js b/test/Array/array_qsortr_random.js
new file mode 100644
index 0000000..f9fb68a
--- /dev/null
+++ b/test/Array/array_qsortr_random.js
@@ -0,0 +1,50 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function getRandomArray(size)
+{
+ const arr = [];
+
+ for (let i = 0; i < size; ++i)
+ {
+ arr[i] = Math.random() * 100 | 0;
+ }
+
+ return arr;
+}
+
+function testRandomSort(size)
+{
+ const unsorted = getRandomArray(size);
+
+ // Copy the array and sort it
+ const sorted = unsorted.slice();
+ sorted.sort(function (a, b){ return a - b;});
+
+ // Verify that the array is sorted
+ for (let i = 1; i < size; ++i)
+ {
+ // Sort has not completed correctly
+ if (sorted[i] < sorted[i - 1])
+ {
+ WScript.Echo(`Unsorted: ${unsorted}`);
+ WScript.Echo(`Sorted: ${sorted}`);
+ throw new Error(`Array is not sorted correctly at index '${i}'`);
+ }
+ }
+}
+
+function stressTestSort(iterations, size = 1000)
+{
+ for (let i = 0; i < iterations; ++i)
+ {
+ testRandomSort(size);
+ }
+}
+
+// Test 1000 random arrays of 1000 elements, print out the failures.
+stressTestSort(1000, 1000);
+
+WScript.Echo("PASS");
diff --git a/test/Array/bug_gh5667.js b/test/Array/bug_gh5667.js
new file mode 100644
index 0000000..f69c6b0
--- /dev/null
+++ b/test/Array/bug_gh5667.js
@@ -0,0 +1,34 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+// Test a bug fix for the xplat qsort implementation
+// https://github.com/Microsoft/ChakraCore/issues/5667
+function testArray(size)
+{
+ // Create an array with all the same value
+ const arr = new Array(size);
+ arr.fill(100);
+
+ // Change the second to last value to be smaller
+ arr[arr.length - 2] = 99;
+
+ // Sort the array
+ arr.sort((a, b) => a - b);
+
+ // Verify that the array is sorted
+ for (let i = 1; i < arr.length; ++i)
+ {
+ if (arr[i] < arr[i - 1])
+ {
+ // Sort has not completed correctly
+ throw new Error (`Array is not sorted correctly at index '${i}'`);
+ }
+ }
+}
+
+testArray(512);
+testArray(513);
+
+WScript.Echo("PASS");
diff --git a/test/Array/rlexe.xml b/test/Array/rlexe.xml
index 6981f72..58256c2 100644
--- a/test/Array/rlexe.xml
+++ b/test/Array/rlexe.xml
@@ -775,4 +775,16 @@
<files>bug16717501.js</files>
</default>
</test>
+ <test>
+ <default>
+ <files>bug_gh5667.js</files>
+ <tags>exclude_windows</tags>
+ </default>
+ </test>
+ <test>
+ <default>
+ <files>test_qsortr_random.js</files>
+ <tags>exclude_windows</tags>
+ </default>
+ </test>
</regress-exe>
diff --git a/test/es6/ES6TypedArrayExtensions.js b/test/es6/ES6TypedArrayExtensions.js
index 218d9bf..3e16ecb 100644
--- a/test/es6/ES6TypedArrayExtensions.js
+++ b/test/es6/ES6TypedArrayExtensions.js
@@ -1486,7 +1486,7 @@
if (WScript.Platform.OS == "win32") { // Windows
assert.areEqual([9,8,7,2,10,5,4,3,1,6], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");
} else { // xplat
- assert.areEqual([2,9,8,7,10,4,1,3,5,6], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");
+ assert.areEqual([2,9,10,8,7,5,4,3,6,1], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");
}
assert.throws(function() { sort.call(); }, TypeError, "Calling %TypedArrayPrototype%.sort with no this throws TypeError", "'this' is not a typed array object");
diff --git a/tools/update_bytecode_version.ps1 b/tools/update_bytecode_version.ps1
index 87cc069..c611dc1 100644
--- a/tools/update_bytecode_version.ps1
+++ b/tools/update_bytecode_version.ps1
@@ -20,14 +20,14 @@
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------
// NOTE: If there is a merge conflict the correct fix is to make a new GUID.
-// This file was generated with core\tools\update_bytecode_version.ps1
+// This file was generated with tools\update_bytecode_version.ps1
"@
-$version=[Guid]::NewGuid().ToString()
+$version=[Guid]::NewGuid().ToString().ToUpper()
Write-Header $copyright
-Write-Header "// $version"
+Write-Header "// {$version}"
Write-Header "const GUID byteCodeCacheReleaseFileVersion ="
$version -match "^(\w{8})-(\w{4})-(\w{4})-(\w{4}-\w{12})$" | Out-Null
