From 1780d0ea73433a4548fe4bc073bdf2964b6d9b63 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 8 Dec 2021 12:54:07 +0100
Subject: [PATCH] Bug 704756: Don't trust function.length property!

Calling js_call with n < 0 led to us popping a negative number of items
from the stack, which could make us miss the stack size check.

Sanitize all uses of function.length in Function.prototype.apply and
Function.prototype.bind.
---
 jsfunction.c | 6 ++++++
 jsrun.c      | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/jsfunction.c b/jsfunction.c
index f03e90c..ec20cd4 100644
--- a/jsfunction.c
+++ b/jsfunction.c
@@ -110,6 +110,8 @@ static void Fp_apply(js_State *J)
 		n = 0;
 	} else {
 		n = js_getlength(J, 2);
+		if (n < 0)
+			n = 0;
 		for (i = 0; i < n; ++i)
 			js_getindex(J, 2, i);
 	}
@@ -143,6 +145,8 @@ static void callbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);
@@ -165,6 +169,8 @@ static void constructbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);
diff --git a/jsrun.c b/jsrun.c
index b517cc4..dd96e7e 100644
--- a/jsrun.c
+++ b/jsrun.c
@@ -1126,6 +1126,9 @@ void js_call(js_State *J, int n)
 	js_Object *obj;
 	int savebot;
 
+	if (n < 0)
+		js_rangeerror(J, "number of arguments cannot be negative");
+
 	if (!js_iscallable(J, -n-2))
 		js_typeerror(J, "%s is not callable", js_typeof(J, -n-2));