43 lines
1.1 KiB
Diff
43 lines
1.1 KiB
Diff
From 056459314305f666aee132565df710c42f41ec04 Mon Sep 17 00:00:00 2001
|
|
From: Nick Vatamaniuc <vatamane@gmail.com>
|
|
Date: Sun, 28 May 2023 01:50:46 -0400
|
|
Subject: [PATCH] Fix stack overflow in CVE-2023-31922
|
|
|
|
isArray and proxy isArray can call each other indefinitely in a mutually
|
|
recursive loop.
|
|
|
|
Add a stack overflow check in the js_proxy_isArray function before calling
|
|
JS_isArray(ctx, s->target).
|
|
|
|
With ASAN the the poc.js from issue 178:
|
|
|
|
```
|
|
./qjs ./poc.js
|
|
InternalError: stack overflow
|
|
at isArray (native)
|
|
at <eval> (./poc.js:4)
|
|
```
|
|
|
|
Fix: https://github.com/bellard/quickjs/issues/178
|
|
---
|
|
quickjs.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/quickjs.c b/quickjs.c
|
|
index 79160139..a3b0b55f 100644
|
|
--- a/quickjs.c
|
|
+++ b/quickjs.c
|
|
@@ -45243,6 +45243,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
|
|
JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
|
|
if (!s)
|
|
return FALSE;
|
|
+
|
|
+ if (js_check_stack_overflow(ctx->rt, 0)) {
|
|
+ JS_ThrowStackOverflow(ctx);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (s->is_revoked) {
|
|
JS_ThrowTypeErrorRevokedProxy(ctx);
|
|
return -1;
|