From 91b5a37ca1155f71f28c6eda9fa163b0b66ff3ce Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Windows 11)" <rob@synchro.net>
Date: Mon, 30 Dec 2024 14:47:38 -0800
Subject: [PATCH] Check return value of JS_NewStringCopyZ (for NULL)

Kind of a shot in the dark here: Max (WESTLINE) is reporting HEAP CORRUPTION
debug assertion in websrvr.dll. In the 2 instances reported, a long (336
char) JSON "query value" was logged by apparent spam-bot trying to create a
a new user account ("send-me-free-stuff" is one of the JSON properties).

JS_NewStringCopyZ() can return NULL in a low memory situation, though I don't
know that explains possible heap corruption.
---
 src/sbbs3/websrvr.c | 47 ++++++++++++++++++++++++++++++---------------
 1 file changed, 32 insertions(+), 15 deletions(-)

diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index 912da149e6..b22767d363 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -2418,10 +2418,16 @@ static void js_add_queryval(http_session_t * session, char *key, char *value)
 		alen=len;
 	}
 
-	lprintf(LOG_DEBUG,"%04d %s [%s] Adding query value %s=%s at pos %d"
-		,session->socket, session->client.protocol, session->host_ip, key,value,alen);
-	val=STRING_TO_JSVAL(JS_NewStringCopyZ(session->js_cx,value));
-	JS_SetElement(session->js_cx, keyarray, alen, &val);
+	JSString* js_str = JS_NewStringCopyZ(session->js_cx,value);
+	if(js_str == NULL)
+		errprintf(LOG_ERR, WHERE, "%04d %s [%s] failed to create JSString for query value '%s', key=%s"
+			,session->socket, session->client.protocol, session->host_ip, value, key);
+	else {
+		lprintf(LOG_DEBUG,"%04d %s [%s] Adding query value %s=%s at pos %d"
+			,session->socket, session->client.protocol, session->host_ip, key,value,alen);
+		val=STRING_TO_JSVAL(js_str);
+		JS_SetElement(session->js_cx, keyarray, alen, &val);
+	}
 }
 
 static void js_add_cookieval(http_session_t * session, char *key, char *value)
@@ -2450,10 +2456,16 @@ static void js_add_cookieval(http_session_t * session, char *key, char *value)
 		alen=len;
 	}
 
-	lprintf(LOG_DEBUG,"%04d %s [%s] Adding cookie value %s=%s at pos %d"
-		,session->socket, session->client.protocol, session->host_ip, key,value,alen);
-	val=STRING_TO_JSVAL(JS_NewStringCopyZ(session->js_cx,value));
-	JS_SetElement(session->js_cx, keyarray, alen, &val);
+	JSString* js_str = JS_NewStringCopyZ(session->js_cx,value);
+	if(js_str == NULL)
+		errprintf(LOG_ERR, WHERE, "%04d %s [%s] failed to create JSString for cookie value '%s', key=%s"
+			,session->socket, session->client.protocol, session->host_ip, value, key);
+	else {
+		lprintf(LOG_DEBUG,"%04d %s [%s] Adding cookie value %s=%s at pos %d"
+			,session->socket, session->client.protocol, session->host_ip, key,value,alen);
+		val=STRING_TO_JSVAL(js_str);
+		JS_SetElement(session->js_cx, keyarray, alen, &val);
+	}
 }
 
 static void js_add_request_property(http_session_t * session, char *key, char *value, size_t len, bool writeable)
@@ -5620,7 +5632,9 @@ js_log(JSContext *cx, uintN argc, jsval *arglist)
 	lprintf(level,"%04d %s",session->socket,str);
 	JS_RESUMEREQUEST(cx, rc);
 
-	JS_SET_RVAL(cx, arglist, STRING_TO_JSVAL(JS_NewStringCopyZ(cx, str)));
+	JSString* js_str = JS_NewStringCopyZ(cx, str);
+	if(js_str != NULL)
+		JS_SET_RVAL(cx, arglist, STRING_TO_JSVAL(js_str));
 
     return(JS_TRUE);
 }
@@ -6001,6 +6015,7 @@ js_initcx(http_session_t *session)
 static bool js_setup_cx(http_session_t* session)
 {
 	JSObject*	argv;
+	JSString*	js_str;
 
 	if(session->js_runtime == NULL) {
 		lprintf(LOG_DEBUG,"%04d JavaScript: Creating runtime: %u bytes"
@@ -6025,12 +6040,14 @@ static bool js_setup_cx(http_session_t* session)
 		JS_DefineProperty(session->js_cx, session->js_glob, "argc", INT_TO_JSVAL(0)
 			,NULL,NULL,JSPROP_READONLY|JSPROP_ENUMERATE);
 
-		JS_DefineProperty(session->js_cx, session->js_glob, "web_root_dir",
-			STRING_TO_JSVAL(JS_NewStringCopyZ(session->js_cx, root_dir))
-			,NULL,NULL,JSPROP_READONLY|JSPROP_ENUMERATE);
-		JS_DefineProperty(session->js_cx, session->js_glob, "web_error_dir",
-			STRING_TO_JSVAL(JS_NewStringCopyZ(session->js_cx, session->req.error_dir?session->req.error_dir:error_dir))
-			,NULL,NULL,JSPROP_READONLY|JSPROP_ENUMERATE);
+		if((js_str = JS_NewStringCopyZ(session->js_cx, root_dir)) != NULL)
+			JS_DefineProperty(session->js_cx, session->js_glob, "web_root_dir",
+				STRING_TO_JSVAL(js_str)
+				,NULL,NULL,JSPROP_READONLY|JSPROP_ENUMERATE);
+		if((js_str = JS_NewStringCopyZ(session->js_cx, session->req.error_dir?session->req.error_dir:error_dir)) != NULL)
+			JS_DefineProperty(session->js_cx, session->js_glob, "web_error_dir",
+				STRING_TO_JSVAL(js_str)
+				,NULL,NULL,JSPROP_READONLY|JSPROP_ENUMERATE);
 		JS_ENDREQUEST(session->js_cx);
 	}
 	else {
-- 
GitLab