Mirrors_Framework/mujs
1
0
Fork 0
mirror of https://github.com/ccxvii/mujs.git synced 2026-02-05 17:29:43 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 704750 and 704751: Save transient js_toobject in stack slot.

Browse Source 
Prevent use-after-free if GC is triggered while a js_toobject is held.

This is the same stack clobbering approach used for js_tostring, etc.
This commit is contained in:
Tor Andersson
2021-12-06 15:40:50 +01:00
parent 70a299c76b
commit eed8a67a49
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
jsvalue.c
View File

@@ -385,17 +385,21 @@ static js_Object *jsV_newstring(js_State *J, const char *v)
/* ToObject() on a value */
js_Object *jsV_toobject(js_State *J, js_Value *v)
{
js_Object *o;
switch (v->type) {
default:
case JS_TSHRSTR: return jsV_newstring(J, v->u.shrstr);
case JS_TUNDEFINED: js_typeerror(J, "cannot convert undefined to object");
case JS_TNULL: js_typeerror(J, "cannot convert null to object");
case JS_TBOOLEAN: return jsV_newboolean(J, v->u.boolean);
case JS_TNUMBER: return jsV_newnumber(J, v->u.number);
case JS_TLITSTR: return jsV_newstring(J, v->u.litstr);
case JS_TMEMSTR: return jsV_newstring(J, v->u.memstr->p);
case JS_TOBJECT: return v->u.object;
case JS_TSHRSTR: o = jsV_newstring(J, v->u.shrstr); break;
case JS_TLITSTR: o = jsV_newstring(J, v->u.litstr); break;
case JS_TMEMSTR: o = jsV_newstring(J, v->u.memstr->p); break;
case JS_TBOOLEAN: o = jsV_newboolean(J, v->u.boolean); break;
case JS_TNUMBER: o = jsV_newnumber(J, v->u.number); break;
}
v->type = JS_TOBJECT;
v->u.object = o;
return o;
}
void js_newobjectx(js_State *J)