archive-gh-me/jerryscript
1
0
Fork 0
mirror of https://github.com/jerryscript-project/jerryscript.git synced 2025-12-15 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Fix heap buffer overflow in Array.prototype.copyWithin (#4211)

Browse Source 
2nd and 3rd argument evaluation of Array.prototype.copyWithin can change
the length of the array as a side-effect. But ES11 spec says that the
algorithm should use the original length. In this case it could happen
that the underlying buffer should be extended.

Fixes #4204

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu
This commit is contained in:
Csaba Osztrogonác 2020-09-25 15:06:29 +02:00 committed by GitHub
parent bc64957d19
commit de38764e88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
View File

@ -2491,14 +2491,13 @@ ecma_builtin_array_prototype_object_copy_within (const ecma_value_t args[], /**<
}
}
if (target >= len || start >= end || end == 0)
ecma_length_t count = JERRY_MIN (end - start, len - target);
if (end <= start || len <= target) /* count <= 0 check, but variables are unsigned */
{
ecma_ref_object (obj_p);
return ecma_make_object_value (obj_p);
}
ecma_length_t count = JERRY_MIN (end - start, len - target);
bool forward = true;
if (start < target && target < start + count)
@ -2511,12 +2510,13 @@ ecma_builtin_array_prototype_object_copy_within (const ecma_value_t args[], /**<
if (ecma_op_object_is_fast_array (obj_p))
{
ecma_extended_object_t *ext_obj_p = (ecma_extended_object_t *) obj_p;
const uint32_t actual_length = ext_obj_p->u.array.length;
if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE)
if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE
&& ((forward && (target + count - 1 < actual_length)) || (!forward && (target < actual_length))))
{
if (obj_p->u1.property_list_cp != JMEM_CP_NULL)
{
count = JERRY_MIN (ext_obj_p->u.array.length, count);
ecma_value_t *buffer_p = ECMA_GET_NON_NULL_POINTER (ecma_value_t, obj_p->u1.property_list_cp);
for (; count > 0; count--)

17
tests/jerry/es.next/array-prototype-copywithin.js
View File

@ -95,7 +95,6 @@ var value = array.copyWithin(0, {
array.length = 0;
}
})
array_check(value, []);
// Extend the buffer
@ -105,7 +104,6 @@ var value = array.copyWithin(1, {
array.length = 6;
}
})
array_check(value, [1, 1, 2, undefined, undefined, undefined]);
// Reduce the buffer
@ -115,5 +113,18 @@ var value = array.copyWithin(4, 2, {
array.length = 3;
}
})
array_check(value, [1, 2, 3]);
// Reduce the buffer and extend the buffer
var array = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
var value = array.copyWithin(7, {
valueOf: function() {
array.length = 5;
}
})
array_check(value, [1, 2, 3, 4, 5, , , 1, 2, 3]);
// Copy with overlapping (backward copy)
var array = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
var value = array.copyWithin(0, 2, 8)
array_check(value, [3, 4, 5, 6, 7, 8, 7, 8, 9, 10]);

9
tests/jerry/es.next/regression-test-issue-4146.js
View File

@ -32,7 +32,7 @@ Array.prototype.equals = function (array) {
function longDenseArray(){
var a = [0];
for(var i = 0; i < 200; i++){
for(var i = 0; i < 60; i++){
a[i] = i;
}
return a;
@ -43,7 +43,8 @@ function shorten(){
return 1;
}
var array = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,,,,,,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19];
var currArray = longDenseArray();
assert (currArray.copyWithin (200, {valueOf: shorten}).length == 20)
var array = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19];
assert (currArray.copyWithin(200, {valueOf: shorten}).equals (array))
currArray.copyWithin(25, {valueOf: shorten})
assert (currArray.length == 44)
assert (currArray.equals (array))

2
tests/test262-esnext-excludelist.xml
View File

@ -142,8 +142,6 @@
<test id="built-ins/Array/proto-from-ctor-realm-zero.js"><reason></reason></test>
<test id="built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js"><reason></reason></test>
<test id="built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js"><reason></reason></test>
<test id="built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js"><reason></reason></test>
<test id="built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js"><reason></reason></test>
<test id="built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js"><reason></reason></test>
<test id="built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js"><reason></reason></test>
<test id="built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js"><reason></reason></test>