Fix stack overflow in CVE-2023-31922

isArray and proxy isArray can call each other indefinitely in a mutually recursive loop. Add a stack overflow check in the js_proxy_isArray function before calling JS_isArray(ctx, s->target). With ASAN the the poc.js from issue 178: ``` ./qjs ./poc.js InternalError: stack overflow at isArray (native) at <eval> (./poc.js:4) ``` Fix: https://github.com/bellard/quickjs/issues/178
author: Nick Vatamaniuc <vatamane@gmail.com> 2023-05-28 01:50:46 -0400
committer: bptato <nincsnevem662@gmail.com> 2023-09-23 13:45:39 +0200
commit: 43c01994f48b1452f32c3e4269167634b23fb601 (patch)
tree: 4bdceda5ff8083e0265b48cc1dd6303dccc72997 /lib/quickjs/quickjs.c
parent: 821693c4374d9895f462fa29644905c61dbb241d (diff)
download: chawan-43c01994f48b1452f32c3e4269167634b23fb601.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/quickjs/quickjs.c b/lib/quickjs/quickjs.c
index 7aa3cfd2..197887b0 100644
--- a/lib/quickjs/quickjs.c
+++ b/lib/quickjs/quickjs.c
@@ -45433,6 +45433,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
     JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
     if (!s)
         return FALSE;
+
+    if (js_check_stack_overflow(ctx->rt, 0)) {
+        JS_ThrowStackOverflow(ctx);
+        return -1;
+    }
+
     if (s->is_revoked) {
         JS_ThrowTypeErrorRevokedProxy(ctx);
         return -1;
author	Nick Vatamaniuc <vatamane@gmail.com>	2023-05-28 01:50:46 -0400
committer	bptato <nincsnevem662@gmail.com>	2023-09-23 13:45:39 +0200
commit	43c01994f48b1452f32c3e4269167634b23fb601 (patch)
tree	4bdceda5ff8083e0265b48cc1dd6303dccc72997 /lib/quickjs/quickjs.c
parent	821693c4374d9895f462fa29644905c61dbb241d (diff)
download	chawan-43c01994f48b1452f32c3e4269167634b23fb601.tar.gz