ref: 2e7550e718ab54adbfe3183f5db5f252b5a0c8a2
parent: 32bf345fd02bce5a7ec41af83e40e87eb65d9c13
author: Tor Andersson <[email protected]>
date: Thu Apr 20 19:19:35 EDT 2017
Fix bounds checks for string object array accesses.
--- a/jsrun.c
+++ b/jsrun.c
@@ -471,8 +471,10 @@
return 1;
}
if (js_isarrayindex(J, name, &k)) {
- js_pushrune(J, js_runeat(J, obj->u.s.string, k));
- return 1;
+ if (k >= 0 && k < obj->u.s.length) {
+ js_pushrune(J, js_runeat(J, obj->u.s.string, k));
+ return 1;
+ }
}
}
@@ -550,7 +552,7 @@
if (!strcmp(name, "length"))
goto readonly;
if (js_isarrayindex(J, name, &k))
- if (js_runeat(J, obj->u.s.string, k))
+ if (k >= 0 && k < obj->u.s.length)
goto readonly;
}
@@ -620,7 +622,7 @@
if (!strcmp(name, "length"))
goto readonly;
if (js_isarrayindex(J, name, &k))
- if (js_runeat(J, obj->u.s.string, k))
+ if (k >= 0 && k < obj->u.s.length)
goto readonly;
}
@@ -681,7 +683,7 @@
if (!strcmp(name, "length"))
goto dontconf;
if (js_isarrayindex(J, name, &k))
- if (js_runeat(J, obj->u.s.string, k))
+ if (k >= 0 && k < obj->u.s.length)
goto dontconf;
}