shithub: libmujs

Download patch

ref: 7ef066a3bb95bf83e7c5be50d859e62e58fe8515
parent: dbb86fcd8b6ab141f20512315a7ad12b63264638
author: Tor Andersson <[email protected]>
date: Fri Apr 23 07:11:28 EDT 2021

Fix use-after-free in regexp source property access.

The underlying string of the "source" property of a regular expression
object can be freed if the regexp is garbage collected.

This could lead to a use-after-free, because the accessor incorrectly
assumed that the regexp source was an interned (thus never freed) string.
Fix this by calling js_pushstring instead of the faster but unsafe
js_pushliteral.

Many thanks to Connor Nelson for spotting this!

--- a/jsrun.c
+++ b/jsrun.c
@@ -522,7 +522,7 @@
 
 	else if (obj->type == JS_CREGEXP) {
 		if (!strcmp(name, "source")) {
-			js_pushliteral(J, obj->u.r.source);
+			js_pushstring(J, obj->u.r.source);
 			return 1;
 		}
 		if (!strcmp(name, "global")) {