From 049c18c41a02cf6a6934ecd5e9078faccc63d1d2 Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Windows 11)" <rob@synchro.net>
Date: Tue, 6 Aug 2024 18:06:44 -0700
Subject: [PATCH] Fix potential null object pointer passed to JS_GetProperty in
 js_gotoxy()

I'm not sure under what script conditions this could happen, but apparently
Nelgin was able to produce this null pointer deref (and segfault) using
DDMsgReader. This should fix issue #769
---
 src/sbbs3/js_console.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/sbbs3/js_console.cpp b/src/sbbs3/js_console.cpp
index 9e37f1d371..09763f5c76 100644
--- a/src/sbbs3/js_console.cpp
+++ b/src/sbbs3/js_console.cpp
@@ -1930,10 +1930,13 @@ js_gotoxy(JSContext *cx, uintN argc, jsval *arglist)
 	JS_SET_RVAL(cx, arglist, JSVAL_VOID);
 
 	if(JSVAL_IS_OBJECT(argv[0])) {
-		if(!JS_GetProperty(cx, JSVAL_TO_OBJECT(argv[0]),"x", &val)
+		JSObject* obj = JSVAL_TO_OBJECT(argv[0]);
+		if(obj == nullptr)
+			return JS_FALSE;
+		if(!JS_GetProperty(cx, obj, "x", &val)
 			|| !JS_ValueToInt32(cx,val,&x))
 			return JS_FALSE;
-		if(!JS_GetProperty(cx, JSVAL_TO_OBJECT(argv[0]),"y", &val)
+		if(!JS_GetProperty(cx, obj, "y", &val)
 			|| !JS_ValueToInt32(cx,val,&y))
 			return JS_FALSE;
 	} else {
-- 
GitLab