Bug 704756: Don't trust function.length property!

Calling js_call with n < 0 led to us popping a negative number of items from the stack, which could make us miss the stack size check. Sanitize all uses of function.length in Function.prototype.apply and Function.prototype.bind.
2026-02-05 17:29:43 +08:00 · 2021-12-08 12:54:07 +01:00
parent 70bd7ea61c
commit 1780d0ea73
2 changed files with 9 additions and 0 deletions
--- a/jsfunction.c
+++ b/jsfunction.c
@@ -110,6 +110,8 @@ static void Fp_apply(js_State *J)
 		n = 0;
 	} else {
 		n = js_getlength(J, 2);
+		if (n < 0)
+			n = 0;
 		for (i = 0; i < n; ++i)
 			js_getindex(J, 2, i);
 	}
@@ -143,6 +145,8 @@ static void callbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);
@@ -165,6 +169,8 @@ static void constructbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);
--- a/jsrun.c
+++ b/jsrun.c
@@ -1126,6 +1126,9 @@ void js_call(js_State *J, int n)
 	js_Object *obj;
 	int savebot;

+	if (n < 0)
+		js_rangeerror(J, "number of arguments cannot be negative");
+
 	if (!js_iscallable(J, -n-2))
 		js_typeerror(J, "%s is not callable", js_typeof(J, -n-2));