shithub: libmujs

Download patch

ref: 2e7550e718ab54adbfe3183f5db5f252b5a0c8a2
parent: 32bf345fd02bce5a7ec41af83e40e87eb65d9c13
author: Tor Andersson <[email protected]>
date: Thu Apr 20 19:19:35 EDT 2017

Fix bounds checks for string object array accesses.

--- a/jsrun.c
+++ b/jsrun.c
@@ -471,8 +471,10 @@
 			return 1;
 		}
 		if (js_isarrayindex(J, name, &k)) {
-			js_pushrune(J, js_runeat(J, obj->u.s.string, k));
-			return 1;
+			if (k >= 0 && k < obj->u.s.length) {
+				js_pushrune(J, js_runeat(J, obj->u.s.string, k));
+				return 1;
+			}
 		}
 	}
 
@@ -550,7 +552,7 @@
 		if (!strcmp(name, "length"))
 			goto readonly;
 		if (js_isarrayindex(J, name, &k))
-			if (js_runeat(J, obj->u.s.string, k))
+			if (k >= 0 && k < obj->u.s.length)
 				goto readonly;
 	}
 
@@ -620,7 +622,7 @@
 		if (!strcmp(name, "length"))
 			goto readonly;
 		if (js_isarrayindex(J, name, &k))
-			if (js_runeat(J, obj->u.s.string, k))
+			if (k >= 0 && k < obj->u.s.length)
 				goto readonly;
 	}
 
@@ -681,7 +683,7 @@
 		if (!strcmp(name, "length"))
 			goto dontconf;
 		if (js_isarrayindex(J, name, &k))
-			if (js_runeat(J, obj->u.s.string, k))
+			if (k >= 0 && k < obj->u.s.length)
 				goto dontconf;
 	}