YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Limit maximum number of arguments for apply(). (#2183)

Browse Source 
The length*sizeof(ecma_value_t) may overflow on 32 bit systems which
cause a memory corruption when the values are filled.

Fixes #2182.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
This commit is contained in:
Zoltan Herczeg
2018-02-01 15:09:53 +01:00
committed by Dániel Bátyai
parent 06ebfc52ed
commit 36051ec92b
2 changed files with 72 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c
+44 -32
View File
@@ -43,6 +43,11 @@
* @{ * @{
*/ */
/**
* Maximum number of arguments for an apply function.
*/
#define ECMA_FUNCTION_APPLY_ARGUMENT_COUNT_LIMIT 65535
/** /**
* The Function.prototype object's 'toString' routine * The Function.prototype object's 'toString' routine
* *
@@ -122,43 +127,50 @@ ecma_builtin_function_prototype_object_apply (ecma_value_t this_arg, /**< this a
/* 5. */ /* 5. */
const uint32_t length = ecma_number_to_uint32 (length_number); const uint32_t length = ecma_number_to_uint32 (length_number);
/* 6. */ if (length >= ECMA_FUNCTION_APPLY_ARGUMENT_COUNT_LIMIT)
JMEM_DEFINE_LOCAL_ARRAY (arguments_list_p, length, ecma_value_t);
uint32_t last_index = 0;
/* 7. */
for (uint32_t index = 0;
index < length && ecma_is_value_empty (ret_value);
index++)
{ {
ecma_string_t *curr_idx_str_p = ecma_new_ecma_string_from_uint32 (index); ret_value = ecma_raise_range_error (ECMA_ERR_MSG ("Too many arguments declared for Function.apply()."));
ECMA_TRY_CATCH (get_value,
ecma_op_object_get (obj_p, curr_idx_str_p),
ret_value);
arguments_list_p[index] = ecma_copy_value (get_value);
last_index = index + 1;
ECMA_FINALIZE (get_value);
ecma_deref_ecma_string (curr_idx_str_p);
} }
else
if (ecma_is_value_empty (ret_value))
{ {
JERRY_ASSERT (last_index == length); /* 6. */
ret_value = ecma_op_function_call (func_obj_p, JMEM_DEFINE_LOCAL_ARRAY (arguments_list_p, length, ecma_value_t);
arg1, uint32_t last_index = 0;
arguments_list_p,
length);
}
for (uint32_t index = 0; index < last_index; index++) /* 7. */
{ for (uint32_t index = 0;
ecma_free_value (arguments_list_p[index]); index < length && ecma_is_value_empty (ret_value);
} index++)
{
ecma_string_t *curr_idx_str_p = ecma_new_ecma_string_from_uint32 (index);
JMEM_FINALIZE_LOCAL_ARRAY (arguments_list_p); ECMA_TRY_CATCH (get_value,
ecma_op_object_get (obj_p, curr_idx_str_p),
ret_value);
arguments_list_p[index] = ecma_copy_value (get_value);
last_index = index + 1;
ECMA_FINALIZE (get_value);
ecma_deref_ecma_string (curr_idx_str_p);
}
if (ecma_is_value_empty (ret_value))
{
JERRY_ASSERT (last_index == length);
ret_value = ecma_op_function_call (func_obj_p,
arg1,
arguments_list_p,
length);
}
for (uint32_t index = 0; index < last_index; index++)
{
ecma_free_value (arguments_list_p[index]);
}
JMEM_FINALIZE_LOCAL_ARRAY (arguments_list_p);
}
ECMA_OP_TO_NUMBER_FINALIZE (length_number); ECMA_OP_TO_NUMBER_FINALIZE (length_number);
ECMA_FINALIZE (length_value); ECMA_FINALIZE (length_value);
tests/jerry/regression-test-issue-2182.js
+28
View File
@@ -0,0 +1,28 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
function test(len)
{
function applyTest() { }
try {
applyTest.apply(null, { length : len });
assert(false);
} catch (e) {
assert(e instanceof RangeError);
}
}
test(65536);
test(0x40000001);
test(0xffffffff);