-
Rob Swindell authoredAs was discovered as part of investigation into issue #769, a JavaScript could crash SBBS (cause a segfault) due to a NULL pointer dereference when the script passes 'null' to native JS functions where an object is expected. The issue raised was with console.gotoxy(), but it turns out that *many* Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without checking for NULL/nullptr, pass its return value to JS api functions such as JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction, JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc. All of these JS API functions dereference the passed object pointer without NULL/nullptr checking. The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL value before using as an argument to any other JS API functions.
54523145Rob Swindell authoredAs was discovered as part of investigation into issue #769, a JavaScript could crash SBBS (cause a segfault) due to a NULL pointer dereference when the script passes 'null' to native JS functions where an object is expected. The issue raised was with console.gotoxy(), but it turns out that *many* Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without checking for NULL/nullptr, pass its return value to JS api functions such as JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction, JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc. All of these JS API functions dereference the passed object pointer without NULL/nullptr checking. The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL value before using as an argument to any other JS API functions.
Loading