ref: 7ef066a3bb95bf83e7c5be50d859e62e58fe8515
parent: dbb86fcd8b6ab141f20512315a7ad12b63264638
author: Tor Andersson <tor.andersson@artifex.com>
date: Fri Apr 23 07:11:28 EDT 2021
Fix use-after-free in regexp source property access. The underlying string of the "source" property of a regular expression object can be freed if the regexp is garbage collected. This could lead to a use-after-free, because the accessor incorrectly assumed that the regexp source was an interned (thus never freed) string. Fix this by calling js_pushstring instead of the faster but unsafe js_pushliteral. Many thanks to Connor Nelson for spotting this!
--- a/jsrun.c
+++ b/jsrun.c
@@ -522,7 +522,7 @@
else if (obj->type == JS_CREGEXP) { if (!strcmp(name, "source")) {- js_pushliteral(J, obj->u.r.source);
+ js_pushstring(J, obj->u.r.source);
return 1;
}
if (!strcmp(name, "global")) {