github_mirrors/quickjs
3
0
Fork 1
mirror of https://github.com/bellard/quickjs.git synced 2025-09-30 15:04:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

Prevent UB on memcpy and floating point conversions

Browse Source 
- add `memcpy_no_ub` that accepts null pointers for 0 count
- prevent 0 length allocation in `js_worker_postMessage`
- use safer test for `int` value in `JS_NewFloat64`,
  `JS_ToArrayLengthFree` and `js_typed_array_indexOf`
This commit is contained in:
Charlie Gordon
2024-03-03 14:05:40 +01:00
parent 3dd93eb4e4
commit 06c100c9bf
5 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
quickjs.c
View File

@@ -11078,6 +11078,8 @@ static __exception int JS_ToArrayLengthFree(JSContext *ctx, uint32_t *plen,
if (JS_TAG_IS_FLOAT64(tag)) {
double d;
d = JS_VALUE_GET_FLOAT64(val);
if (!(d >= 0 && d <= UINT32_MAX))
goto fail;
len = (uint32_t)d;
if (len != d)
goto fail;
@@ -33388,8 +33390,8 @@ static JSValue js_create_function(JSContext *ctx, JSFunctionDef *fd)
}
} else {
b->vardefs = (void *)((uint8_t*)b + vardefs_offset);
memcpy(b->vardefs, fd->args, fd->arg_count * sizeof(fd->args[0]));
memcpy(b->vardefs + fd->arg_count, fd->vars, fd->var_count * sizeof(fd->vars[0]));
memcpy_no_ub(b->vardefs, fd->args, fd->arg_count * sizeof(fd->args[0]));
memcpy_no_ub(b->vardefs + fd->arg_count, fd->vars, fd->var_count * sizeof(fd->vars[0]));
}
b->var_count = fd->var_count;
b->arg_count = fd->arg_count;
@@ -53997,9 +53999,10 @@ static JSValue js_typed_array_indexOf(JSContext *ctx, JSValueConst this_val,
} else
if (tag == JS_TAG_FLOAT64) {
d = JS_VALUE_GET_FLOAT64(argv[0]);
// XXX: should fix UB
v64 = d;
is_int = (v64 == d);
if (d >= INT64_MIN && d < 0x1p63) {
v64 = d;
is_int = (v64 == d);
}
} else if (tag == JS_TAG_BIG_INT) {
JSBigFloat *p1 = JS_VALUE_GET_PTR(argv[0]);