WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) CVE-2017-7018 Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry). void flush(InlineStackEntry* inlineStackEntry) { ... if (m_graph.needsScopeRegister()) flush(m_codeBlock->scopeRegister()); <<--- (a) } At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase. PoC: function f() { (function () { eval('1'); f(); }()); throw 1; } f(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt