ref: 780b14b5b73724c36800bf72db1f8f1a2b77f76d
parent: 57b698f0b20789f88a1540ca116c9102c2251dee
author: Tor Andersson <tor.andersson@artifex.com>
date: Fri Apr 27 07:11:50 EDT 2018
Fix bug in Ap_sort where tostring values were put back into the array.
--- a/jsarray.c
+++ b/jsarray.c
@@ -274,9 +274,15 @@
return c;
}
+ /* Ap_sort expects the original values to remain on the stack,
+ * but because js_tostring may mutate the stack slot, make a copy first. */
+ js_copy(J, -2);
+ js_copy(J, -2);
sx = js_tostring(J, -2);
sy = js_tostring(J, -1);
- return strcmp(sx, sy);
+ c = strcmp(sx, sy);
+ js_pop(J, 2);
+ return c;
}
if (*hasx) return -1;