sbbs

Prevent NULL pointer dereference when 'null' object passed to JS functions

Rob Swindell authored 10 months ago

As was discovered as part of investigation into issue #769, a JavaScript
could crash SBBS (cause a segfault) due to a NULL pointer dereference when
the script passes 'null' to native JS functions where an object is expected.

The issue raised was with console.gotoxy(), but it turns out that *many*
Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without
checking for NULL/nullptr, pass its return value to JS api functions such as
JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction,
JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc.
All of these JS API functions dereference the passed object pointer without
NULL/nullptr checking.

The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and
if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL
value before using as an argument to any other JS API functions.

54523145

History

54523145 10 months ago

History

Name	Last commit	Last update
install/init.d
install/logrotate.d
install/rc.d
install/rsyslog.d
install/systemd
install/FILE_ID.DIZ
install/install-sbbs.mk
install/install.iss
install/lsm.txt
install/net.synchro.sbbs.plist
install/termcap
install/terminfo