Open Bug 1750609 Opened 2 years ago Updated 2 years ago

Avoid out-of-bounds out of `JSAtomState::wellKnownSymbolDescriptions()` returned value.

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: nbp, Unassigned)

References

(Blocks 1 open bug)

Details

JSAtomState::wellKnownSymbolNames() andJSAtomState::wellKnownSymbolDescriptions() are using the macro JS_FOR_EACH_WELL_KNOWN_SYMBOL, and are expanded to the following code:

  js::ImmutablePropertyNamePtr* wellKnownSymbolDescriptions() {
    return &Symbol_isConcatSpreadable;
    return &Symbol_iterator;
    return &Symbol_match;
    return &Symbol_replace;
    return &Symbol_search;
    return &Symbol_species;
    return &Symbol_hasInstance;
    return &Symbol_split;
    return &Symbol_toPrimitive;
    return &Symbol_toStringTag;
    return &Symbol_unscopables;
    return &Symbol_asyncIterator;
    return &Symbol_matchAll;
  }

These are doing something which is abusing C++ by reinterpreting a pointer to a single element as an array of elements. Such as the following found in ExpressionDecompiler::decompilePC:

    case JSOp::Symbol: {
      unsigned i = uint8_t(pc[1]);
      MOZ_ASSERT(i < JS::WellKnownSymbolLimit);
      if (i < JS::WellKnownSymbolLimit) {
        return write(cx->names().wellKnownSymbolDescriptions()[i]);
      }
      break;
    }

The code which create the symbols should instead create a static array of js::ImmutablePropertyNamePtr, and the address of this array should be returned by JSAtomState::wellKnownSymbolDescriptions(), instead of the address of the first field.

You need to log in before you can comment on or make changes to this bug.