-
Notifications
You must be signed in to change notification settings - Fork 20
jerryscript
Link : https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
Description: TestLeakAutoVar
CVE Info: CVE-2020-13649
At jerry-core/parser/js/js-scanner.c
@@ -3159,6 +3159,11 @@ scan_completed:
}
PARSER_CATCH
{
- if (context_p->error != PARSER_ERR_OUT_OF_MEMORY)
- {
- context_p->error = PARSER_ERR_NO_ERROR;
- }
-
#if ENABLED (JERRY_ES2015)
while (scanner_context.active_binding_list_p != NULL)
{
@@ -3166,41 +3171,28 @@ scan_completed:
}
#endif /* ENABLED (JERRY_ES2015) */
+ if (JERRY_UNLIKELY (context_p->error != PARSER_ERR_OUT_OF_MEMORY))
- PARSER_TRY (context_p->try_buffer)
{
+ /* Ignore the errors thrown by the lexer. */
+ context_p->error = PARSER_ERR_NO_ERROR;
+
+ /* The following code may allocate memory, so it is enclosed in a try/catch. */
+ PARSER_TRY (context_p->try_buffer)
-#if ENABLED (JERRY_ES2015)
- if (scanner_context.status_flags & SCANNER_CONTEXT_THROW_ERR_ASYNC_FUNCTION)
{
+ #if ENABLED (JERRY_ES2015)
+ if (scanner_context.status_flags & SCANNER_CONTEXT_THROW_ERR_ASYNC_FUNCTION)
+ {
+ JERRY_ASSERT (scanner_context.async_source_p != NULL);
- JERRY_ASSERT (scanner_context.async_source_p != NULL);
+ scanner_info_t *info_p;
+ info_p = scanner_insert_info (context_p, scanner_context.async_source_p, sizeof (scanner_info_t));
+ info_p->type = SCANNER_TYPE_ERR_ASYNC_FUNCTION;
+ }
+ #endif /* ENABLED (JERRY_ES2015) */
+
+ while (scanner_context.active_literal_pool_p != NULL)
+ {
+ scanner_pop_literal_pool (context_p, &scanner_context);
+ }
- scanner_info_t *info_p;
- info_p = scanner_insert_info (context_p, scanner_context.async_source_p, sizeof (scanner_info_t));
- info_p->type = SCANNER_TYPE_ERR_ASYNC_FUNCTION;
}
+ PARSER_CATCH
-#endif /* ENABLED (JERRY_ES2015) */
-
- while (scanner_context.active_literal_pool_p != NULL)
{
+ JERRY_ASSERT (context_p->error == PARSER_ERR_OUT_OF_MEMORY);
- scanner_pop_literal_pool (context_p, &scanner_context);
}
+ PARSER_TRY_END
}
+
+ JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR || context_p->error == PARSER_ERR_OUT_OF_MEMORY);
+
+ if (context_p->error == PARSER_ERR_OUT_OF_MEMORY)
- PARSER_CATCH
{
- JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR);
-
while (scanner_context.active_literal_pool_p != NULL)
{
scanner_literal_pool_t *literal_pool_p = scanner_context.active_literal_pool_p;
@@ -3210,10 +3202,12 @@ scan_completed:
parser_list_free (&literal_pool_p->literal_pool);
scanner_free (literal_pool_p, sizeof (scanner_literal_pool_t));
}
+
+ parser_stack_free (context_p);
+ return;
}
- PARSER_TRY_END
-
-#if ENABLED (JERRY_ES2015)
- context_p->status_flags &= (uint32_t) ~PARSER_IS_GENERATOR_FUNCTION;
-#endif /* ENABLED (JERRY_ES2015) */
}
PARSER_TRY_END
Tags
#Memory-error
#Multi-line
#Modified
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/3ad76f932c8d2e3b9ba2d95e64848698ec7d7290
Description: Use After Free
CVE Info: CVE-2021-41682
At jerry-core/vm/vm.c
@@ -4144,7 +4144,6 @@ vm_loop (vm_frame_ctx_t *frame_ctx_p) /**< frame context */
if (ECMA_IS_VALUE_ERROR (result))
{
+ stack_top_p[-3] = index;
goto error;
}
Tags
#Memory-error
#Single-line
#Added
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/f3cd586094d5a1e8a5e4cb43d637d46975e6dc75
Description: Missing Release of Memory after Effective Lifetime
CVE Info: CVE-2021-41959
At jerry-core/ecma/operations/ecma-regexp-object.c
@@ -3494,7 +3494,7 @@ ecma_regexp_match_helper (ecma_value_t this_arg, /**< this argument */
index = ecma_op_advance_string_index (str_p, index, full_unicode);
last_index = ecma_make_length_value (index);
+ ecma_value_t next_set_status = ecma_op_object_put (obj_p, ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL), last_index, true);
- ecma_value_t next_set_status = ecma_op_object_put (obj_p, ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL), ecma_make_length_value(index), true);
#else /* !JERRY_ESNEXT */
ecma_number_t index = ecma_get_number_from_value (last_index);
ecma_free_value (last_index);
Tags
#Etc
#Single-line
#Modified
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/4912e3b739f4d00e51a46d883b020d2208be28a2
Description: Classic Buffer Overflow
CVE Info: CVE-2021-41751
At jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
@@ -874,10 +874,6 @@ ecma_builtin_array_prototype_object_slice (ecma_value_t arg1, /**< start */
/* Source array's length could be changed during the start/end normalization.
* If the "end" value is greater than the current length, clamp the value to avoid buffer-overflow. */
+ if (ext_from_obj_p->u.array.length < end)
+ {
+ end = ext_from_obj_p->u.array.length;
+ }
ecma_extended_object_t *ext_to_obj_p = (ecma_extended_object_t *) new_array_p;
Tags
#Omission
#Multi-line
#Added
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/f3a420b672927037beb4508d7bdd68fb25d2caf6
Description: Reachable Assertion
CVE Info: CVE-2022-22901
At jerry-core/parser/js/js-lexer.c
@@ -3273,17 +3273,15 @@ lexer_expect_object_literal_id (parser_context_t *context_p, /**< context */
#endif /* JERRY_ESNEXT */
case LIT_CHAR_LEFT_BRACE:
{
+ const uint32_t static_block_flags =
+ (LEXER_OBJ_IDENT_CLASS_NO_STATIC | LEXER_OBJ_IDENT_CLASS_PRIVATE | LEXER_OBJ_IDENT_CLASS_IDENTIFIER);
+ if ((ident_opts & static_block_flags) == LEXER_OBJ_IDENT_CLASS_IDENTIFIER)
- if (ident_opts & (LEXER_OBJ_IDENT_CLASS_NO_STATIC | LEXER_OBJ_IDENT_CLASS_PRIVATE))
{
+ context_p->token.type = LEXER_LEFT_BRACE;
+ lexer_consume_next_character (context_p);
+ return;
- break;
}
+ break;
- context_p->token.type = LEXER_LEFT_BRACE;
- lexer_consume_next_character (context_p);
- return;
}
case LIT_CHAR_RIGHT_BRACE:
{
Tags
#Memory-error
#Invalid-condition
#Multi-line
#Modified
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/8fa7819c1f79c7c28aba7ed8ceb4d00cc007e839
Description: Reachable Assertion
CVE Info: CVE-2021-44994
At jerry-core/ecma/operations/ecma-atomics-object.c
@@ -192,8 +192,7 @@ ecma_atomic_read_modify_write (ecma_value_t typedarray, /**< typedArray argument
/* 9. */
uint32_t indexed_position = ecma_number_to_uint32 (idx) * element_size + offset;
+ ecma_free_value (idx);
JERRY_UNUSED (indexed_position);
JERRY_UNUSED (element_type);
JERRY_UNUSED (val);
Tags
#Memory-error
#Single-line
#Added
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/070096f30f84862442ca67083d9e3d00a8b96b3f
Description: Reachable Assertion
CVE Info: CVE-2021-44993
At jerry-core/vm/opcodes.c
@@ -1959,11 +1959,14 @@ opfunc_form_super_reference (ecma_value_t **vm_stack_top_p, /**< current vm stac
ecma_value_t prop_name, /**< property name to resolve */
uint8_t opcode) /**< current cbc opcode */
{
+ ecma_environment_record_t *environment_record_p = ecma_op_get_environment_record (frame_ctx_p->lex_env_p);
+ if (environment_record_p && !ecma_op_this_binding_is_initialized (environment_record_p))
- if (CBC_FUNCTION_GET_TYPE (frame_ctx_p->shared_p->bytecode_header_p->status_flags) == CBC_FUNCTION_CONSTRUCTOR)
{
+ return ecma_raise_reference_error (ECMA_ERR_CALL_SUPER_CONSTRUCTOR_DERIVED_CLASS_BEFORE_THIS);
- ecma_environment_record_t *environment_record_p = ecma_op_get_environment_record (frame_ctx_p->lex_env_p);
- if (!ecma_op_this_binding_is_initialized (environment_record_p))
- {
- return ecma_raise_reference_error (ECMA_ERR_CALL_SUPER_CONSTRUCTOR_DERIVED_CLASS_BEFORE_THIS);
- }
}
ecma_value_t parent = ecma_op_resolve_super_base (frame_ctx_p->lex_env_p);
Tags
#Invalid-condition
#Multi-line
#Modified
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/85c798705afe39298e27c56e45e10dc14b004df8
Description: Reachable Assertion
CVE Info: CVE-2021-46350
At jerry-core/vm/opcodes.c
@@ -1403,58 +1403,41 @@ opfunc_private_set (ecma_value_t base, /**< this object */
ecma_value_t property, /**< property name */
ecma_value_t value) /**< ecma value */
{
+ ecma_value_t base_obj = ecma_op_to_object (base);
- ecma_object_t *obj_p = ecma_get_object_from_value (base);
+ if (ECMA_IS_VALUE_ERROR (base_obj))
+ {
+ return base_obj;
+ }
+ ecma_object_t *obj_p = ecma_get_object_from_value (base_obj);
ecma_string_t *prop_name_p = ecma_get_string_from_value (property);
ecma_string_t *private_key_p = NULL;
ecma_property_t *prop_p = opfunc_find_private_element (obj_p, prop_name_p, &private_key_p, true);
+ ecma_value_t result;
if (prop_p == NULL)
{
+ result = ecma_raise_type_error (ECMA_ERR_CANNOT_WRITE_PRIVATE_MEMBER_TO_AN_OBJECT_WHOSE_CLASS_DID_NOT_DECLARE_IT);
- return ecma_raise_type_error (ECMA_ERR_CANNOT_WRITE_PRIVATE_MEMBER_TO_AN_OBJECT_WHOSE_CLASS_DID_NOT_DECLARE_IT);
}
+ else if (*prop_p & ECMA_PROPERTY_FLAG_DATA)
- if (*prop_p & ECMA_PROPERTY_FLAG_DATA)
{
JERRY_ASSERT (ecma_prop_name_is_symbol (private_key_p));
if (private_key_p->u.hash & ECMA_SYMBOL_FLAG_PRIVATE_INSTANCE_METHOD)
{
+ result = ecma_raise_type_error (ECMA_ERR_PRIVATE_METHOD_IS_NOT_WRITABLE);
+ }
+ else
+ {
+ ecma_value_assign_value (&ECMA_PROPERTY_VALUE_PTR (prop_p)->value, value);
+ result = ecma_copy_value (value);
- return ecma_raise_type_error (ECMA_ERR_PRIVATE_METHOD_IS_NOT_WRITABLE);
}
- ecma_value_assign_value (&ECMA_PROPERTY_VALUE_PTR (prop_p)->value, value);
- return ecma_copy_value (value);
}
+ else
+ {
+ ecma_getter_setter_pointers_t *get_set_pair_p = ecma_get_named_accessor_property (ECMA_PROPERTY_VALUE_PTR (prop_p));
- ecma_getter_setter_pointers_t *get_set_pair_p = ecma_get_named_accessor_property (ECMA_PROPERTY_VALUE_PTR (prop_p));
+ if (get_set_pair_p->setter_cp == JMEM_CP_NULL)
+ {
+ result = ecma_raise_type_error (ECMA_ERR_PRIVATE_FIELD_WAS_DEFINED_WITHOUT_A_SETTER);
+ }
+ else
+ {
+ ecma_object_t *setter_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, get_set_pair_p->setter_cp);
+ result = ecma_op_function_call (setter_p, base, &value, 1);
+ }
- if (get_set_pair_p->setter_cp == JMEM_CP_NULL)
- {
- return ecma_raise_type_error (ECMA_ERR_PRIVATE_FIELD_WAS_DEFINED_WITHOUT_A_SETTER);
}
+ ecma_deref_object (obj_p);
- ecma_object_t *setter_p = ECMA_GET_NON_NULL_POINTER (ecma_object_t, get_set_pair_p->setter_cp);
+ return result;
- return ecma_op_function_call (setter_p, base, &value, 1);
} /* opfunc_private_set */
/**
Tags
#Etc
#Multi-line
#Modified
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/58e504f1f487b83c00670772a63709e57b0cc835
Description: Out-of-bounds Write
CVE Info: CVE-2022-22893
At jerry-core/ecma/operations/ecma-function-object.c
@@ -1769,8 +1769,7 @@ ecma_op_function_construct (ecma_object_t *func_obj_p, /**< Function object */
{
JERRY_ASSERT (func_obj_p != NULL && !ecma_is_lexical_environment (func_obj_p));
+ ECMA_CHECK_STACK_USAGE ();
switch (ecma_get_object_type (func_obj_p))
{
case ECMA_OBJECT_TYPE_FUNCTION:
Tags
#Memory-error
#Single-line
#Added
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/bcc711e731261a55f232f12a9554190189b5d856
Description: Out-of-bounds Write
CVE Info: CVE-2021-44988
At jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
@@ -2660,7 +2660,6 @@ ecma_builtin_array_flatten_into_array (ecma_value_t target, /**< target will con
ecma_value_t mapped_value, /**< mapped value */
ecma_value_t thisArg) /**< this arg */
{
+ ECMA_CHECK_STACK_USAGE ();
/* 7. */
ecma_length_t target_index = start;
Tags
#Memory-error
#Single-line
#Added
#CVE
Link : https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821
Description: Memory Corruption
CVE Info: CVE-2020-14163
At jerry-core/ecma/operations/ecma-container-object.c
@@ -63,15 +63,11 @@ ecma_op_internal_buffer_append (ecma_collection_t *container_p, /**< internal co
lit_magic_string_id_t lit_id) /**< class id */
{
JERRY_ASSERT (container_p != NULL);
- ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (key_arg));
if (lit_id == LIT_MAGIC_STRING_WEAKMAP_UL || lit_id == LIT_MAGIC_STRING_MAP_UL)
{
+ ecma_value_t values[] = { ecma_copy_value_if_not_object (key_arg), ecma_copy_value_if_not_object (value_arg) };
+ ecma_collection_append (container_p, values, 2);
+ }
+ else
+ {
+ ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (key_arg));
- ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (value_arg));
}
ECMA_CONTAINER_SET_SIZE (container_p, ECMA_CONTAINER_GET_SIZE (container_p) + 1);