[1.10>1.11] [MERGE #5827 @pleath] November, 2018 Servicing Update

Merge pull request #5827 from pleath:servicing/1811

Addresses the following:

CVE-2018-8541
CVE-2018-8542
CVE-2018-8543
CVE-2018-8551
CVE-2018-8555
CVE-2018-8556
CVE-2018-8557
CVE-2018-8588
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
index 5ad2491..0a5af26 100644
--- a/Build/NuGet/.pack-version
+++ b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.10.2
+1.11.3
diff --git a/Build/NuGet/Microsoft.ChakraCore.nuspec b/Build/NuGet/Microsoft.ChakraCore.nuspec
index bb5955a..27c5c21 100644
--- a/Build/NuGet/Microsoft.ChakraCore.nuspec
+++ b/Build/NuGet/Microsoft.ChakraCore.nuspec
@@ -4,7 +4,7 @@
     <id>Microsoft.ChakraCore</id>
     <!-- Note: actual version number is overridden by the NuGet package creation command. -->
     <version>$version$</version>
-    <authors>Chakra Team</authors>
+    <authors>Microsoft</authors>
     <owners>Chakra Team</owners>
     <licenseUrl>https://github.com/Microsoft/ChakraCore/blob/master/LICENSE.txt</licenseUrl>
     <projectUrl>https://github.com/Microsoft/ChakraCore</projectUrl>
@@ -12,7 +12,7 @@
     <developmentDependency>true</developmentDependency>
     <description>ChakraCore is the core part of the Chakra Javascript engine that powers Microsoft Edge.</description>
     <releaseNotes>https://github.com/Microsoft/ChakraCore/wiki/Roadmap#release-notes</releaseNotes>
-    <copyright>Copyright (C) 2016 Microsoft</copyright>
+    <copyright>© Microsoft Corporation. All rights reserved.</copyright>
     <language>en-US</language>
     <tags>Chakra,ChakraCore,javascript,js,ecmascript,compiler,platform,oss,opensource,native</tags>
     <dependencies>
diff --git a/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec b/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
index 079a4b9..1a9961b 100644
--- a/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
+++ b/Build/NuGet/Microsoft.ChakraCore.vc140.nuspec
@@ -4,7 +4,7 @@
     <id>Microsoft.ChakraCore.vc140</id>
     <!-- Note: actual version number is overridden by the NuGet package creation command. -->
     <version>$version$</version>
-    <authors>Chakra Team</authors>
+    <authors>Microsoft</authors>
     <owners>Chakra Team</owners>
     <licenseUrl>https://github.com/Microsoft/ChakraCore/blob/master/LICENSE.txt</licenseUrl>
     <projectUrl>https://github.com/Microsoft/ChakraCore</projectUrl>
@@ -12,7 +12,7 @@
     <developmentDependency>true</developmentDependency>
     <description>ChakraCore is the core part of the Chakra Javascript engine that powers Microsoft Edge.</description>
     <releaseNotes>https://github.com/Microsoft/ChakraCore/wiki/Roadmap#release-notes</releaseNotes>
-    <copyright>Copyright (C) 2016 Microsoft</copyright>
+    <copyright>© Microsoft Corporation. All rights reserved.</copyright>
     <language>en-US</language>
     <tags>Chakra,ChakraCore,javascript,js,ecmascript,compiler,platform,oss,opensource,native,nativepackage,C++,vc140</tags>
   </metadata>
diff --git a/build.sh b/build.sh
index e07e941..746666a 100755
--- a/build.sh
+++ b/build.sh
@@ -546,7 +546,7 @@
 fi
 
 # check clang version (min required 3.7)
-VERSION=$($CLANG_PATH --version | grep "version [0-9]*\.[0-9]*" --o -i | grep "[0-9]\.[0-9]*" --o)
+VERSION=$($CLANG_PATH --version | grep "version [0-9]*\.[0-9]*" --o -i | grep "[0-9]*\.[0-9]*" --o)
 VERSION=${VERSION/./}
 
 if [[ $VERSION -lt 37 ]]; then
diff --git a/lib/Backend/CodeGenWorkItem.h b/lib/Backend/CodeGenWorkItem.h
index 8ec2453..9a02508 100644
--- a/lib/Backend/CodeGenWorkItem.h
+++ b/lib/Backend/CodeGenWorkItem.h
@@ -213,12 +213,11 @@
     {
         const WCHAR* name = functionBody->GetExternalDisplayName();
         size_t nameSizeInChars = wcslen(name) + 1;
-        size_t sizeInBytes = nameSizeInChars * sizeof(WCHAR);
-        if(displayName == NULL || sizeInChars < nameSizeInChars)
+        if (displayName == NULL || sizeInChars < nameSizeInChars)
         {
-           return nameSizeInChars;
+            return nameSizeInChars;
         }
-        js_wmemcpy_s(displayName, sizeInChars, name, sizeInBytes);
+        js_wmemcpy_s(displayName, nameSizeInChars, name, nameSizeInChars);
         return nameSizeInChars;
     }
 
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
index 3daf687..3c5998e 100644
--- a/lib/Common/ChakraCoreVersion.h
+++ b/lib/Common/ChakraCoreVersion.h
@@ -16,8 +16,8 @@
 
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
-#define CHAKRA_CORE_MINOR_VERSION 10
-#define CHAKRA_CORE_PATCH_VERSION 2
+#define CHAKRA_CORE_MINOR_VERSION 11
+#define CHAKRA_CORE_PATCH_VERSION 3
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------
diff --git a/lib/Common/DataStructures/QuickSort.h b/lib/Common/DataStructures/QuickSort.h
index 2a38ac2..497a9fa 100644
--- a/lib/Common/DataStructures/QuickSort.h
+++ b/lib/Common/DataStructures/QuickSort.h
@@ -244,9 +244,12 @@
             const size_t pivot = (nmemb - 1) * size;
             // make last element the median(pivot)
             CCQ_SWAP(base + pivot, base + ((nmemb / 2) * size), size);
+
             // standard qsort pt. below
-            for (size_t i = 0; i < pivot; i+= size)
+            size_t i = 0;
+            for (; i < nmemb / 2 * size; i+= size)
             {
+                // During the first half, count equal values as below the pivot
                 if (comparer(context, base + i, base + pivot) <= 0)
                 {
                     CCQ_SWAP(base + i, base + (pos * size), size);
@@ -254,14 +257,19 @@
                 }
             }
 
+            for (; i < pivot; i+= size)
+            {
+                // During the second half, count equal values as above the pivot
+                if (comparer(context, base + i, base + pivot) < 0)
+                {
+                    CCQ_SWAP(base + i, base + (pos * size), size);
+                    pos++;
+                }
+            }
+
             // issue the last change
             CCQ_SWAP(base + (pos * size), base + pivot, size);
 
-            if (pos >= nmemb - 1)
-            {
-                return; // looks like it was either all sorted OR nothing to sort
-            }
-
             Sort(base, pos++, size, comparer, context);
             Sort(base + (pos * size), nmemb - pos, size, comparer, context);
         }
diff --git a/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h b/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
index 461e84e..298228f 100644
--- a/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
+++ b/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
@@ -3,7 +3,8 @@
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 // NOTE: If there is a merge conflict the correct fix is to make a new GUID.
+// This file was generated with tools\update_bytecode_version.ps1
 
-// {18949169-1B93-4123-B34A-F42F1C1EAF9A}
+// {26894CEE-B780-4CD4-B793-7B0972AEEDD9}
 const GUID byteCodeCacheReleaseFileVersion =
-{ 0x18949169, 0x1B93, 0x4123, { 0xB3, 0x4A, 0xF4, 0x2F, 0x1C, 0x1E, 0xAF, 0x9A } };
+{ 0x26894CEE, 0xB780, 0x4CD4, { 0xB7, 0x93, 0x7B, 0x09, 0x72, 0xAE, 0xED, 0xD9 } };
diff --git a/lib/Runtime/Language/JavascriptConversion.cpp b/lib/Runtime/Language/JavascriptConversion.cpp
index c986ace..9f4b4c7 100644
--- a/lib/Runtime/Language/JavascriptConversion.cpp
+++ b/lib/Runtime/Language/JavascriptConversion.cpp
@@ -285,6 +285,10 @@
             // For all other types, convert the key into a string and use that as the property name
             JavascriptString * propName = JavascriptConversion::ToString(key, scriptContext);
             propName->GetPropertyRecord(propertyRecord);
+            if (PropertyString::Is(propName))
+            {
+                propertyString = PropertyString::UnsafeFromVar(propName);
+            }
         }
 
         if (propString)
diff --git a/test/Array/array_qsortr_random.js b/test/Array/array_qsortr_random.js
new file mode 100644
index 0000000..f9fb68a
--- /dev/null
+++ b/test/Array/array_qsortr_random.js
@@ -0,0 +1,50 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function getRandomArray(size)
+{
+    const arr = [];
+
+    for (let i = 0; i < size; ++i)
+    {
+        arr[i] = Math.random() * 100 | 0;
+    }
+
+    return arr;
+}
+
+function testRandomSort(size)
+{
+    const unsorted = getRandomArray(size);
+
+    // Copy the array and sort it
+    const sorted = unsorted.slice();
+    sorted.sort(function (a, b){ return a - b;});
+
+    // Verify that the array is sorted
+    for (let i = 1; i < size; ++i)
+    {
+        // Sort has not completed correctly
+        if (sorted[i] < sorted[i - 1])
+        {
+            WScript.Echo(`Unsorted: ${unsorted}`);
+            WScript.Echo(`Sorted: ${sorted}`);
+            throw new Error(`Array is not sorted correctly at index '${i}'`);
+        }
+    }
+}
+
+function stressTestSort(iterations, size = 1000)
+{
+    for (let i = 0; i < iterations; ++i)
+    {
+        testRandomSort(size);
+    }
+}
+
+// Test 1000 random arrays of 1000 elements, print out the failures.
+stressTestSort(1000, 1000);
+
+WScript.Echo("PASS");
diff --git a/test/Array/bug_gh5667.js b/test/Array/bug_gh5667.js
new file mode 100644
index 0000000..f69c6b0
--- /dev/null
+++ b/test/Array/bug_gh5667.js
@@ -0,0 +1,34 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+// Test a bug fix for the xplat qsort implementation
+// https://github.com/Microsoft/ChakraCore/issues/5667
+function testArray(size)
+{
+    // Create an array with all the same value
+    const arr = new Array(size);
+    arr.fill(100);
+
+    // Change the second to last value to be smaller
+    arr[arr.length - 2] = 99;
+
+    // Sort the array
+    arr.sort((a, b) => a - b);
+
+    // Verify that the array is sorted
+    for (let i = 1; i < arr.length; ++i)
+    {
+        if (arr[i] < arr[i - 1])
+        {
+            // Sort has not completed correctly
+            throw new Error (`Array is not sorted correctly at index '${i}'`);
+        }
+    }
+}
+
+testArray(512);
+testArray(513);
+
+WScript.Echo("PASS");
diff --git a/test/Array/rlexe.xml b/test/Array/rlexe.xml
index 6981f72..58256c2 100644
--- a/test/Array/rlexe.xml
+++ b/test/Array/rlexe.xml
@@ -775,4 +775,16 @@
       <files>bug16717501.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_gh5667.js</files>
+      <tags>exclude_windows</tags>
+    </default>
+  </test>
+  <test>
+    <default>
+      <files>test_qsortr_random.js</files>
+      <tags>exclude_windows</tags>
+    </default>
+  </test>
 </regress-exe>
diff --git a/test/es6/ES6TypedArrayExtensions.js b/test/es6/ES6TypedArrayExtensions.js
index c586192..dfc78d9 100644
--- a/test/es6/ES6TypedArrayExtensions.js
+++ b/test/es6/ES6TypedArrayExtensions.js
@@ -1493,7 +1493,7 @@
             if (WScript.Platform.OS == "win32") { // Windows

                 assert.areEqual([9,8,7,2,10,5,4,3,1,6], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");

             } else { // xplat

-                assert.areEqual([2,9,8,7,10,4,1,3,5,6], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");

+                assert.areEqual([2,9,10,8,7,5,4,3,6,1], getTypedArray(10).sort(sortCallbackMalformed), "%TypedArrayPrototype%.sort basic behavior with a sort callback which returns random values");

             }

 

             assert.throws(function() { sort.call(); }, TypeError, "Calling %TypedArrayPrototype%.sort with no this throws TypeError", "'this' is not a typed array object");

diff --git a/tools/update_bytecode_version.ps1 b/tools/update_bytecode_version.ps1
index 87cc069..c611dc1 100644
--- a/tools/update_bytecode_version.ps1
+++ b/tools/update_bytecode_version.ps1
@@ -20,14 +20,14 @@
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 // NOTE: If there is a merge conflict the correct fix is to make a new GUID.
-// This file was generated with core\tools\update_bytecode_version.ps1
+// This file was generated with tools\update_bytecode_version.ps1
 
 "@
 
-$version=[Guid]::NewGuid().ToString()
+$version=[Guid]::NewGuid().ToString().ToUpper()
 
 Write-Header $copyright
-Write-Header "// $version"
+Write-Header "// {$version}"
 Write-Header "const GUID byteCodeCacheReleaseFileVersion ="
 
 $version -match "^(\w{8})-(\w{4})-(\w{4})-(\w{4}-\w{12})$" | Out-Null