CVE-2022-28285 - Incorrect AliasSet used in JIT Codegen

author: Matt A. Tobin <email@mattatobin.com> 2022-04-09 21:30:11 -0500
committer: Matt A. Tobin <email@mattatobin.com> 2022-04-09 21:30:11 -0500
commit: d542034aafae711f6446536e086d734102997c46 (patch)
tree: f8cf51b66e531177e3f25e5011a87b62b1dd10ee /js
parent: a82ce63d9cd0bd1e2f42908cc293463f0e9c2038 (diff)
download: aura-central-d542034aafae711f6446536e086d734102997c46.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 8fd777d3e..a398ef334 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -10113,7 +10113,7 @@ class MLoadTypedArrayElementHole
         return congruentIfOperandsEqual(other);
     }
     AliasSet getAliasSet() const override {
-        return AliasSet::Load(AliasSet::UnboxedElement);
+        return AliasSet::Load(AliasSet::UnboxedElement | AliasSet::ObjectFields);
     }
     bool canProduceFloat32() const override { return arrayType_ == Scalar::Float32; }
author	Matt A. Tobin <email@mattatobin.com>	2022-04-09 21:30:11 -0500
committer	Matt A. Tobin <email@mattatobin.com>	2022-04-09 21:30:11 -0500
commit	d542034aafae711f6446536e086d734102997c46 (patch)
tree	f8cf51b66e531177e3f25e5011a87b62b1dd10ee /js
parent	a82ce63d9cd0bd1e2f42908cc293463f0e9c2038 (diff)
download	aura-central-d542034aafae711f6446536e086d734102997c46.tar.gz