Skip to content
  • Rob Swindell's avatar
    Prevent NULL pointer dereference when 'null' object passed to JS functions · 54523145
    Rob Swindell authored
    As was discovered as part of investigation into issue #769, a JavaScript
    could crash SBBS (cause a segfault) due to a NULL pointer dereference when
    the script passes 'null' to native JS functions where an object is expected.
    
    The issue raised was with console.gotoxy(), but it turns out that *many*
    Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without
    checking for NULL/nullptr, pass its return value to JS api functions such as
    JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction,
    JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc.
    All of these JS API functions dereference the passed object pointer without
    NULL/nullptr checking.
    
    The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and
    if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL
    value before using as an argument to any other JS API functions.
    54523145