ref: 1780d0ea73433a4548fe4bc073bdf2964b6d9b63
parent: 70bd7ea61c1b5486e8cb3f4a3b07896a4ef95215
author: Tor Andersson <tor.andersson@artifex.com>
date: Wed Dec 8 07:54:07 EST 2021
Bug 704756: Don't trust function.length property! Calling js_call with n < 0 led to us popping a negative number of items from the stack, which could make us miss the stack size check. Sanitize all uses of function.length in Function.prototype.apply and Function.prototype.bind.
--- a/jsfunction.c
+++ b/jsfunction.c
@@ -110,6 +110,8 @@
n = 0;
} else {n = js_getlength(J, 2);
+ if (n < 0)
+ n = 0;
for (i = 0; i < n; ++i)
js_getindex(J, 2, i);
}
@@ -143,6 +145,8 @@
args = js_gettop(J);
js_getproperty(J, fun, "__BoundArguments__");
n = js_getlength(J, args);
+ if (n < 0)
+ n = 0;
for (i = 0; i < n; ++i)
js_getindex(J, args, i);
js_remove(J, args);
@@ -165,6 +169,8 @@
args = js_gettop(J);
js_getproperty(J, fun, "__BoundArguments__");
n = js_getlength(J, args);
+ if (n < 0)
+ n = 0;
for (i = 0; i < n; ++i)
js_getindex(J, args, i);
js_remove(J, args);
--- a/jsrun.c
+++ b/jsrun.c
@@ -1126,6 +1126,9 @@
js_Object *obj;
int savebot;
+ if (n < 0)
+ js_rangeerror(J, "number of arguments cannot be negative");
+
if (!js_iscallable(J, -n-2))
js_typeerror(J, "%s is not callable", js_typeof(J, -n-2));