Skip to content

Commit

Permalink
Fix stack overflow in CVE-2023-31922
Browse files Browse the repository at this point in the history 
isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: bellard/quickjs#178
  • Loading branch information
@nickva
nickva committed Nov 29, 2023
1 parent 3b034b8 commit 6ce5483
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions quickjs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43564,6 +43564,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
if (!s)
return FALSE;

if (js_check_stack_overflow(ctx->rt, 0)) {
JS_ThrowStackOverflow(ctx);
return -1;
}

if (s->is_revoked) {
JS_ThrowTypeErrorRevokedProxy(ctx);
return -1;
Expand Down

0 comments on commit 6ce5483

Please sign in to comment.