github_mirrors/quickjs
3
0
Fork 1
mirror of https://github.com/bellard/quickjs.git synced 2025-09-27 13:48:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

limit function and regexp bytecode to 1G to avoid buffer overflows (the bytecode generators assume that bytecode offsets can fit a 32 bit signed integer

Browse Source
This commit is contained in:
Fabrice Bellard 2025-08-25 17:14:47 +02:00
parent 4e0d0b7f80
commit d9ec8f102e
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libregexp.c
View File

@ -2433,6 +2433,17 @@ static int compute_stack_size(const uint8_t *bc_buf, int bc_buf_len)
return stack_size_max; return stack_size_max;
} }
static void *lre_bytecode_realloc(void *opaque, void *ptr, size_t size)
{
if (size > (INT32_MAX / 2)) {
/* the bytecode cannot be larger than 2G. Leave some slack to
avoid some overflows. */
return NULL;
} else {
return lre_realloc(opaque, ptr, size);
}
}
/* 'buf' must be a zero terminated UTF-8 string of length buf_len. /* 'buf' must be a zero terminated UTF-8 string of length buf_len.
Return NULL if error and allocate an error message in *perror_msg, Return NULL if error and allocate an error message in *perror_msg,
otherwise the compiled bytecode and its length in plen. otherwise the compiled bytecode and its length in plen.
@ -2461,7 +2472,7 @@ uint8_t *lre_compile(int *plen, char *error_msg, int error_msg_size,
s->total_capture_count = -1; s->total_capture_count = -1;
s->has_named_captures = -1; s->has_named_captures = -1;
dbuf_init2(&s->byte_code, opaque, lre_realloc); dbuf_init2(&s->byte_code, opaque, lre_bytecode_realloc);
dbuf_init2(&s->group_names, opaque, lre_realloc); dbuf_init2(&s->group_names, opaque, lre_realloc);
dbuf_put_u16(&s->byte_code, re_flags); /* first element is the flags */ dbuf_put_u16(&s->byte_code, re_flags); /* first element is the flags */

23
quickjs.c
View File

@ -1470,6 +1470,23 @@ static inline void js_dbuf_init(JSContext *ctx, DynBuf *s)
dbuf_init2(s, ctx->rt, (DynBufReallocFunc *)js_realloc_rt); dbuf_init2(s, ctx->rt, (DynBufReallocFunc *)js_realloc_rt);
} }
static void *js_realloc_bytecode_rt(void *opaque, void *ptr, size_t size)
{
JSRuntime *rt = opaque;
if (size > (INT32_MAX / 2)) {
/* the bytecode cannot be larger than 2G. Leave some slack to
avoid some overflows. */
return NULL;
} else {
return rt->mf.js_realloc(&rt->malloc_state, ptr, size);
}
}
static inline void js_dbuf_bytecode_init(JSContext *ctx, DynBuf *s)
{
dbuf_init2(s, ctx->rt, js_realloc_bytecode_rt);
}
static inline int is_digit(int c) { static inline int is_digit(int c) {
return c >= '0' && c <= '9'; return c >= '0' && c <= '9';
} }
@ -30809,7 +30826,7 @@ static JSFunctionDef *js_new_function_def(JSContext *ctx,
fd->is_eval = is_eval; fd->is_eval = is_eval;
fd->is_func_expr = is_func_expr; fd->is_func_expr = is_func_expr;
js_dbuf_init(ctx, &fd->byte_code); js_dbuf_bytecode_init(ctx, &fd->byte_code);
fd->last_opcode_pos = -1; fd->last_opcode_pos = -1;
fd->func_name = JS_ATOM_NULL; fd->func_name = JS_ATOM_NULL;
fd->var_object_idx = -1; fd->var_object_idx = -1;
@ -32904,7 +32921,7 @@ static __exception int resolve_variables(JSContext *ctx, JSFunctionDef *s)
cc.bc_buf = bc_buf = s->byte_code.buf; cc.bc_buf = bc_buf = s->byte_code.buf;
cc.bc_len = bc_len = s->byte_code.size; cc.bc_len = bc_len = s->byte_code.size;
js_dbuf_init(ctx, &bc_out); js_dbuf_bytecode_init(ctx, &bc_out);
/* first pass for runtime checks (must be done before the /* first pass for runtime checks (must be done before the
variables are created) */ variables are created) */
@ -33524,7 +33541,7 @@ static __exception int resolve_labels(JSContext *ctx, JSFunctionDef *s)
cc.bc_buf = bc_buf = s->byte_code.buf; cc.bc_buf = bc_buf = s->byte_code.buf;
cc.bc_len = bc_len = s->byte_code.size; cc.bc_len = bc_len = s->byte_code.size;
js_dbuf_init(ctx, &bc_out); js_dbuf_bytecode_init(ctx, &bc_out);
#if SHORT_OPCODES #if SHORT_OPCODES
if (s->jump_size) { if (s->jump_size) {