Skip to content

fix: replace abort-on-invalid-label with graceful bounds check #1416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
santhsecurity wants to merge 1 commit into from
+44 −8
Closed

fix: replace abort-on-invalid-label with graceful bounds check #1416

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 44 additions & 8 deletions quickjs.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23071,10 +23071,16 @@ static int update_label(JSFunctionDef *s, int label, int delta)
{
LabelSlot *ls;

assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &s->label_slots[label];
ls->ref_count += delta;
assert(ls->ref_count >= 0);
if (ls->ref_count < 0)
ls->ref_count = 0;
return ls->ref_count;
}

Expand Down Expand Up @@ -33630,7 +33636,12 @@ static __exception int resolve_variables(JSContext *ctx, JSFunctionDef *s)
LabelSlot *ls;

label = get_u32(bc_buf + pos + 1);
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &s->label_slots[label];
if (code_match(&cc, ls->pos, OP_ret, -1)) {
ls->ref_count--;
Expand Down Expand Up @@ -33695,7 +33706,12 @@ static __exception int resolve_variables(JSContext *ctx, JSFunctionDef *s)
LabelSlot *ls;

label = get_u32(bc_buf + pos + 1);
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &s->label_slots[label];
ls->pos2 = bc_out.size + opcode_info[op].size;
}
Expand Down Expand Up @@ -33968,7 +33984,12 @@ static int find_jump_target(JSFunctionDef *s, int label, int *pop)

update_label(s, label, -1);
for (i = 0; i < 10; i++) {
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
pos = s->label_slots[label].pos2;
for (;;) {
switch(op = s->byte_code.buf[pos]) {
Expand Down Expand Up @@ -34192,7 +34213,12 @@ static __exception int resolve_labels(JSContext *ctx, JSFunctionDef *s)
case OP_label:
{
label = get_u32(bc_buf + pos + 1);
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &label_slots[label];
assert(ls->addr == -1);
ls->addr = bc_out.size;
Expand Down Expand Up @@ -34317,7 +34343,12 @@ static __exception int resolve_labels(JSContext *ctx, JSFunctionDef *s)
pos_next = skip_dead_code(s, bc_buf, bc_len, pos_next,
&line_num, &col_num);
}
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &label_slots[label];
jp = &s->jump_slots[s->jump_count++];
jp->op = op;
Expand Down Expand Up @@ -34384,7 +34415,12 @@ static __exception int resolve_labels(JSContext *ctx, JSFunctionDef *s)
label = get_u32(bc_buf + pos + 5);
is_with = bc_buf[pos + 9];
label = find_jump_target(s, label, &op1);
assert(label >= 0 && label < s->label_count);
/* Bounds check: untrusted JS can trigger invalid labels during bytecode
* optimization. Returning -1 is strictly safer than aborting the host
* process via assert. Discovered during adversarial testing of embedded
* QuickJS sandboxes processing untrusted web content. */
if (label < 0 || label >= s->label_count)
return -1;
ls = &label_slots[label];
add_pc2line_info(s, bc_out.size, line_num, col_num);
jp = &s->jump_slots[s->jump_count++];
Expand Down
Loading