Prevent NULL pointer dereference when 'null' object passed to JS functions
As was discovered as part of investigation into issue #769, a JavaScript could crash SBBS (cause a segfault) due to a NULL pointer dereference when the script passes 'null' to native JS functions where an object is expected. The issue raised was with console.gotoxy(), but it turns out that *many* Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without checking for NULL/nullptr, pass its return value to JS api functions such as JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction, JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc. All of these JS API functions dereference the passed object pointer without NULL/nullptr checking. The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL value before using as an argument to any other JS API functions.
parent
a2d6dc86
No related branches found
No related tags found
Showing
- src/sbbs3/exec.cpp 22 additions, 18 deletionssrc/sbbs3/exec.cpp
- src/sbbs3/js_archive.c 1 addition, 1 deletionsrc/sbbs3/js_archive.c
- src/sbbs3/js_conio.c 1 addition, 1 deletionsrc/sbbs3/js_conio.c
- src/sbbs3/js_console.cpp 1 addition, 1 deletionsrc/sbbs3/js_console.cpp
- src/sbbs3/js_file.c 5 additions, 5 deletionssrc/sbbs3/js_file.c
- src/sbbs3/js_filebase.c 6 additions, 6 deletionssrc/sbbs3/js_filebase.c
- src/sbbs3/js_global.c 24 additions, 20 deletionssrc/sbbs3/js_global.c
- src/sbbs3/js_internal.c 8 additions, 2 deletionssrc/sbbs3/js_internal.c
- src/sbbs3/js_msgbase.c 10 additions, 8 deletionssrc/sbbs3/js_msgbase.c
- src/sbbs3/js_socket.c 8 additions, 6 deletionssrc/sbbs3/js_socket.c
- src/sbbs3/js_system.c 5 additions, 3 deletionssrc/sbbs3/js_system.c
- src/sbbs3/main.cpp 2 additions, 2 deletionssrc/sbbs3/main.cpp
- src/sbbs3/websrvr.c 19 additions, 16 deletionssrc/sbbs3/websrvr.c
Loading