YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use union to convert between jerryx_arg_int_option_t and uintptr_t (#2718)

Browse Source 
This fixes potential out-of-bounds reads in jerry-ext when dealing
with integer argument mappings.

Fixes #2713

JerryScript-DCO-1.0-Signed-off-by: Akos Kiss akiss@inf.u-szeged.hu
This commit is contained in:
Akos Kiss
2019-01-21 09:29:34 +01:00
committed by Robert Sipka
parent c23cf4176a
commit 67ef396354
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-ext/arg/arg-transform-functions.c
+6 -2
View File
@@ -182,8 +182,12 @@ jerryx_arg_helper_process_double (double *d, /**< [in, out] the number to be pro
return rv; \ return rv; \
} \ } \
jerry_release_value (rv); \ jerry_release_value (rv); \
jerryx_arg_int_option_t *options_p = (jerryx_arg_int_option_t *) &c_arg_p->extra_info; \ union \
rv = jerryx_arg_helper_process_double (&tmp, min, max, *options_p); \ { \
jerryx_arg_int_option_t int_option; \
uintptr_t extra_info; \
} u = { .extra_info = c_arg_p->extra_info }; \
rv = jerryx_arg_helper_process_double (&tmp, min, max, u.int_option); \
if (jerry_value_is_error (rv)) \ if (jerry_value_is_error (rv)) \
{ \ { \
return rv; \ return rv; \
jerry-ext/include/jerryscript-ext/arg.impl.h
+6 -2
View File
@@ -94,12 +94,16 @@ typedef struct
func = jerryx_arg_transform_ ## type; \ func = jerryx_arg_transform_ ## type; \
} \ } \
} \ } \
const jerryx_arg_int_option_t int_option = { .round = (uint8_t) round_flag, .clamp = (uint8_t) clamp_flag }; \ union \
{ \
jerryx_arg_int_option_t int_option; \
uintptr_t extra_info; \
} u = { .int_option = { .round = (uint8_t) round_flag, .clamp = (uint8_t) clamp_flag } }; \
return (jerryx_arg_t) \ return (jerryx_arg_t) \
{ \ { \
.func = func, \ .func = func, \
.dest = (void *) dest, \ .dest = (void *) dest, \
.extra_info = *(uintptr_t *) &int_option \ .extra_info = u.extra_info \
}; \ }; \
} }