shithub: libmujs

Download patch

ref: 780b14b5b73724c36800bf72db1f8f1a2b77f76d
parent: 57b698f0b20789f88a1540ca116c9102c2251dee
author: Tor Andersson <[email protected]>
date: Fri Apr 27 07:11:50 EDT 2018

Fix bug in Ap_sort where tostring values were put back into the array.

--- a/jsarray.c
+++ b/jsarray.c
@@ -274,9 +274,15 @@
 			return c;
 		}
 
+		/* Ap_sort expects the original values to remain on the stack,
+		 * but because js_tostring may mutate the stack slot, make a copy first. */
+		js_copy(J, -2);
+		js_copy(J, -2);
 		sx = js_tostring(J, -2);
 		sy = js_tostring(J, -1);
-		return strcmp(sx, sy);
+		c = strcmp(sx, sy);
+		js_pop(J, 2);
+		return c;
 	}
 
 	if (*hasx) return -1;