Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read Exploit

ID: 98633
CVE: None
Download vulnerable application: None
BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_ExtraArg flag which indicates that there's an extra argument ( in the PoC) at the end of the argument array. So the size of the new argument array created with the CallFlags_ExtraArg flag will be always 1 less then required, this leads to an OOB read.
  function func() {;
  let bound = func.bind({}, 1);
  Reflect.construct(bound, []);
1-4-2 (www01)