Fix use-after-free in regexp source property access.

The underlying string of the "source" property of a regular expression object can be freed if the regexp is garbage collected. This could lead to a use-after-free, because the accessor incorrectly assumed that the regexp source was an interned (thus never freed) string. Fix this by calling js_pushstring instead of the faster but unsafe js_pushliteral. Many thanks to Connor Nelson for spotting this!
2026-02-05 17:29:43 +08:00 · 2021-04-23 11:11:28 +02:00
parent dbb86fcd8b
commit 7ef066a3bb
1 changed files with 1 additions and 1 deletions
--- a/jsrun.c
+++ b/jsrun.c
@@ -522,7 +522,7 @@ static int jsR_hasproperty(js_State *J, js_Object *obj, const char *name)

 	else if (obj->type == JS_CREGEXP) {
 		if (!strcmp(name, "source")) {
-			js_pushliteral(J, obj->u.r.source);
+			js_pushstring(J, obj->u.r.source);
 			return 1;
 		}
 		if (!strcmp(name, "global")) {