Mirrors_Framework/mujs
1
0
Fork 0
mirror of https://github.com/ccxvii/mujs.git synced 2026-02-06 01:41:37 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix bounds checks for string object array accesses.

Browse Source
This commit is contained in:
Tor Andersson
2017-04-20 23:19:35 +02:00
parent 32bf345fd0
commit 2e7550e718
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
jsrun.c
View File

@@ -471,8 +471,10 @@ static int jsR_hasproperty(js_State *J, js_Object *obj, const char *name)
return 1;
}
if (js_isarrayindex(J, name, &k)) {
js_pushrune(J, js_runeat(J, obj->u.s.string, k));
return 1;
if (k >= 0 && k < obj->u.s.length) {
js_pushrune(J, js_runeat(J, obj->u.s.string, k));
return 1;
}
}
}
@@ -550,7 +552,7 @@ static void jsR_setproperty(js_State *J, js_Object *obj, const char *name)
if (!strcmp(name, "length"))
goto readonly;
if (js_isarrayindex(J, name, &k))
if (js_runeat(J, obj->u.s.string, k))
if (k >= 0 && k < obj->u.s.length)
goto readonly;
}
@@ -620,7 +622,7 @@ static void jsR_defproperty(js_State *J, js_Object *obj, const char *name,
if (!strcmp(name, "length"))
goto readonly;
if (js_isarrayindex(J, name, &k))
if (js_runeat(J, obj->u.s.string, k))
if (k >= 0 && k < obj->u.s.length)
goto readonly;
}
@@ -681,7 +683,7 @@ static int jsR_delproperty(js_State *J, js_Object *obj, const char *name)
if (!strcmp(name, "length"))
goto dontconf;
if (js_isarrayindex(J, name, &k))
if (js_runeat(J, obj->u.s.string, k))
if (k >= 0 && k < obj->u.s.length)
goto dontconf;
}