Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance
CVE-2018-8139
BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an OOB read.
PoC:
function func() {
new.target.x;
}
let bound = func.bind({}, 1);
Reflect.construct(bound, []);
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
