Open
Bug 1750609
Opened 2 years ago
Updated 2 years ago
Avoid out-of-bounds out of `JSAtomState::wellKnownSymbolDescriptions()` returned value.
Categories
(Core :: JavaScript Engine, defect, P5)
Core
JavaScript Engine
Tracking
()
NEW
People
(Reporter: nbp, Unassigned)
References
(Blocks 1 open bug)
Details
JSAtomState::wellKnownSymbolNames()
andJSAtomState::wellKnownSymbolDescriptions()
are using the macro JS_FOR_EACH_WELL_KNOWN_SYMBOL
, and are expanded to the following code:
js::ImmutablePropertyNamePtr* wellKnownSymbolDescriptions() {
return &Symbol_isConcatSpreadable;
return &Symbol_iterator;
return &Symbol_match;
return &Symbol_replace;
return &Symbol_search;
return &Symbol_species;
return &Symbol_hasInstance;
return &Symbol_split;
return &Symbol_toPrimitive;
return &Symbol_toStringTag;
return &Symbol_unscopables;
return &Symbol_asyncIterator;
return &Symbol_matchAll;
}
These are doing something which is abusing C++ by reinterpreting a pointer to a single element as an array of elements. Such as the following found in ExpressionDecompiler::decompilePC
:
case JSOp::Symbol: {
unsigned i = uint8_t(pc[1]);
MOZ_ASSERT(i < JS::WellKnownSymbolLimit);
if (i < JS::WellKnownSymbolLimit) {
return write(cx->names().wellKnownSymbolDescriptions()[i]);
}
break;
}
The code which create the symbols should instead create a static array of js::ImmutablePropertyNamePtr
, and the address of this array should be returned by JSAtomState::wellKnownSymbolDescriptions()
, instead of the address of the first field.
You need to log in
before you can comment on or make changes to this bug.
Description
•