YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix appending elements for ecma collection (#3719)

Browse Source 
During ecma_collection_append the underlying collection
was not increased in the required case. This triggered
a buffer overflow when processing the bound function's arguments
during call or during the Proxy ownKeys method.

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
This commit is contained in:
Péter Gál
2020-05-07 16:11:14 +02:00
committed by GitHub
parent 90c7eccb42
commit 18fe546802
3 changed files with 63 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/base/ecma-helpers-collection.c
+6 -2
View File
@@ -174,9 +174,13 @@ ecma_collection_append (ecma_collection_t *collection_p, /**< value collection *
uint32_t count) /**< number of ecma values to append */
{
JERRY_ASSERT (collection_p != NULL);
if (collection_p->capacity - collection_p->item_count >= count)
JERRY_ASSERT (collection_p->capacity >= collection_p->item_count);
uint32_t free_count = collection_p->capacity - collection_p->item_count;
if (free_count < count)
{
ecma_collection_reserve (collection_p, count);
ecma_collection_reserve (collection_p, count - free_count);
}
memcpy (collection_p->buffer_p + collection_p->item_count, buffer_p, count * sizeof (ecma_value_t));