Skip to content
Snippets Groups Projects
Commit 54523145 authored by Rob Swindell's avatar Rob Swindell :speech_balloon:
Browse files

Prevent NULL pointer dereference when 'null' object passed to JS functions

As was discovered as part of investigation into issue #769, a JavaScript
could crash SBBS (cause a segfault) due to a NULL pointer dereference when
the script passes 'null' to native JS functions where an object is expected.

The issue raised was with console.gotoxy(), but it turns out that *many*
Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without
checking for NULL/nullptr, pass its return value to JS api functions such as
JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction,
JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc.
All of these JS API functions dereference the passed object pointer without
NULL/nullptr checking.

The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and
if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL
value before using as an argument to any other JS API functions.
parent a2d6dc86
No related branches found
No related tags found
1 merge request!455Update branch with changes from master
Pipeline #6530 passed
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment