Addresses an incomplete fix from 1b0b660

jwalker · saghul · commit da49a37041e7 · 2026-05-11T21:04:25.000+02:00
diff --git a/quickjs.c b/quickjs.c
@@ -9901,6 +9901,7 @@ static int set_array_length(JSContext *ctx, JSObject *p, JSValue val,
         if (len < old_len) {
             for(i = len; i < old_len; i++) {
                 JS_FreeValue(ctx, p->u.array.u.values[i]);
+                p->u.array.u.values[i] = JS_UNDEFINED;
             }
             p->u.array.count = len;
         }
diff --git a/tests/fix_set_array_length-uaf.js b/tests/fix_set_array_length-uaf.js
@@ -0,0 +1,6 @@
+// Crash — heap-use-after-free (confirmed with ASan)
+const arr = [{a:1}, {b:2}, {c:3}, {d:4}, {e:5}];
+arr.length = 2;   // frees elements 2-4
+arr.length = 5;   // grows length back; count stays at 2
+arr.push({f:6}); // count jumps to 6; elements 2-4 are freed but readable
+print(JSON.stringify(arr[3])); // reads freed memory

Original file line number	Diff line number	Diff line change
`@@ -9901,6 +9901,7 @@ static int set_array_length(JSContext ctx, JSObject p, JSValue val,`
`9901`	`9901`	`if (len < old_len) {`
`9902`	`9902`	`for(i = len; i < old_len; i++) {`
`9903`	`9903`	`JS_FreeValue(ctx, p->u.array.u.values[i]);`
	`9904`	`+ p->u.array.u.values[i] = JS_UNDEFINED;`
`9904`	`9905`	`}`
`9905`	`9906`	`p->u.array.count = len;`
`9906`	`9907`	`}`