diff --git a/bin/ChakraCore/ChakraCore.def b/bin/ChakraCore/ChakraCore.def
index 9d711da..71a3110 100644
--- a/bin/ChakraCore/ChakraCore.def
+++ b/bin/ChakraCore/ChakraCore.def
@@ -58,3 +58,5 @@ JsReleaseSharedArrayBufferContentHandle
JsLessThan
JsLessThanOrEqual
+
+ConnectJITServer
\ No newline at end of file
diff --git a/bin/ChakraCore/TestHooks.cpp b/bin/ChakraCore/TestHooks.cpp
index 4f962a7..4cfc614 100644
--- a/bin/ChakraCore/TestHooks.cpp
+++ b/bin/ChakraCore/TestHooks.cpp
@@ -5,6 +5,12 @@
#include "Runtime.h"
#include "TestHooks.h"
+void __stdcall ConnectJITServer(HANDLE processHandle, void* serverSecurityDescriptor, UUID connectionId)
+{
+ JITManager::GetJITManager()->EnableOOPJIT();
+ ThreadContext::SetJITConnectionInfo(processHandle, serverSecurityDescriptor, connectionId);
+}
+
#ifdef ENABLE_TEST_HOOKS
HRESULT __stdcall SetConfigFlags(__in int argc, __in_ecount(argc) LPWSTR argv[], ICustomConfigFlags* customConfigFlags)
diff --git a/bin/ch/HostConfigFlagsList.h b/bin/ch/HostConfigFlagsList.h
index a2fa5bd..6f39314 100644
--- a/bin/ch/HostConfigFlagsList.h
+++ b/bin/ch/HostConfigFlagsList.h
@@ -9,7 +9,7 @@ FLAG(bool, DebugLaunch, "Create the test debugger and execut
FLAG(BSTR, GenerateLibraryByteCodeHeader, "Generate bytecode header file from library code", NULL)
FLAG(int, InspectMaxStringLength, "Max string length to dump in locals inspection", 16)
FLAG(BSTR, Serialized, "If source is UTF8, deserializes from bytecode file", NULL)
-FLAG(bool, OOPJIT, "Run JIT in a separate process", false)
+FLAG(bool, OOPJIT, "Run JIT in a separate process", true)
FLAG(bool, EnsureCloseJITServer, "JIT process will be force closed when ch is terminated", true)
FLAG(bool, IgnoreScriptErrorCode, "Don't return error code on script error", false)
FLAG(bool, MuteHostErrorMsg, "Mute host error output, e.g. module load failures", false)
diff --git a/bin/ch/ch.cpp b/bin/ch/ch.cpp
index 914e4e7..08067d6 100644
--- a/bin/ch/ch.cpp
+++ b/bin/ch/ch.cpp
@@ -944,6 +944,7 @@ int main(int argc, char** c_argv)
}
#else
#define PAL_Shutdown()
+typedef void(__stdcall *FNConnectJITServer)(HANDLE, void*, UUID);
int _cdecl wmain(int argc, __in_ecount(argc) LPWSTR argv[])
{
#endif
@@ -1109,7 +1110,8 @@ int _cdecl wmain(int argc, __in_ecount(argc) LPWSTR argv[])
{
// TODO: Error checking
JITProcessManager::StartRpcServer(argc, argv);
- ChakraRTInterface::ConnectJITServer(JITProcessManager::GetRpcProccessHandle(), nullptr, JITProcessManager::GetRpcConnectionId());
+ FNConnectJITServer cjs = (FNConnectJITServer)GetProcAddress(LoadLibrary(L"ChakraCore.dll"), "ConnectJITServer");
+ cjs(JITProcessManager::GetRpcProccessHandle(), nullptr, JITProcessManager::GetRpcConnectionId());
}
#endif
HANDLE threadHandle;
diff --git a/bin/ch/ch.vcxproj b/bin/ch/ch.vcxproj
index e07267a..b362a4a 100644
--- a/bin/ch/ch.vcxproj
+++ b/bin/ch/ch.vcxproj
@@ -27,6 +27,7 @@
$(IntDir);
%(AdditionalIncludeDirectories);
+ Guard
ch.def
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index f0fa97c..2a1b3c8 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -9607,9 +9607,9 @@ namespace Js
JavascriptNumber::ToVar(k, scriptContext),
obj));
- if (newArr && isBuiltinArrayCtor)
+ if (newArr)
{
- newArr->SetItem((uint32)k, mappedValue, PropertyOperation_None);
+ newArr->DirectSetItemAt((uint32)k, mappedValue); // CVE-2016-7190
}
else
{
diff --git a/lib/Runtime/Library/JavascriptArray.inl b/lib/Runtime/Library/JavascriptArray.inl
index 0311267..026fac5 100644
--- a/lib/Runtime/Library/JavascriptArray.inl
+++ b/lib/Runtime/Library/JavascriptArray.inl
@@ -440,7 +440,7 @@ namespace Js
template <>
inline void JavascriptArray::DirectSetItemAt(uint32 itemIndex, Var newValue)
{
- Assert_FailFast(this->GetTypeId() == TypeIds_Array || this->GetTypeId() == TypeIds_ES5Array);
+ // Assert_FailFast(this->GetTypeId() == TypeIds_Array || this->GetTypeId() == TypeIds_ES5Array);
Assert(itemIndex < InvalidIndex); // Otherwise the code below could overflow and set length = 0