Commit e1c1e41
fix: heap-use-after-free in build_backtrace when dbuf OOM frees current_exception
If JS_NewError() during build_backtrace triggered dbuf OOM, JS_ThrowOutOfMemory
freed the current exception (error_val from the caller's stack frame), then
the rest of build_backtrace continued using the freed error_val for the
prepareStackTrace call and the JS_DefinePropertyValue of the stack property.
The fix duplicates error_val into a local error_obj at function entry, uses
error_obj throughout the function, and frees it at exit.
Fixes #14691 parent 9584b58 commit e1c1e41
2 files changed
Lines changed: 39 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
776 | 776 | | |
777 | 777 | | |
778 | 778 | | |
| 779 | + | |
| 780 | + | |
| 781 | + | |
| 782 | + | |
| 783 | + | |
| 784 | + | |
| 785 | + | |
| 786 | + | |
| 787 | + | |
| 788 | + | |
| 789 | + | |
| 790 | + | |
| 791 | + | |
| 792 | + | |
| 793 | + | |
| 794 | + | |
| 795 | + | |
| 796 | + | |
| 797 | + | |
| 798 | + | |
| 799 | + | |
| 800 | + | |
| 801 | + | |
| 802 | + | |
| 803 | + | |
| 804 | + | |
| 805 | + | |
| 806 | + | |
| 807 | + | |
| 808 | + | |
| 809 | + | |
779 | 810 | | |
780 | 811 | | |
781 | 812 | | |
| |||
1053 | 1084 | | |
1054 | 1085 | | |
1055 | 1086 | | |
| 1087 | + | |
1056 | 1088 | | |
1057 | 1089 | | |
1058 | 1090 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7762 | 7762 | | |
7763 | 7763 | | |
7764 | 7764 | | |
7765 | | - | |
| 7765 | + | |
7766 | 7766 | | |
7767 | 7767 | | |
7768 | 7768 | | |
| |||
7779 | 7779 | | |
7780 | 7780 | | |
7781 | 7781 | | |
| 7782 | + | |
7782 | 7783 | | |
7783 | 7784 | | |
7784 | 7785 | | |
| |||
7924 | 7925 | | |
7925 | 7926 | | |
7926 | 7927 | | |
7927 | | - | |
| 7928 | + | |
7928 | 7929 | | |
7929 | 7930 | | |
7930 | 7931 | | |
| |||
7945 | 7946 | | |
7946 | 7947 | | |
7947 | 7948 | | |
7948 | | - | |
7949 | | - | |
| 7949 | + | |
| 7950 | + | |
7950 | 7951 | | |
7951 | 7952 | | |
7952 | 7953 | | |
7953 | 7954 | | |
7954 | 7955 | | |
| 7956 | + | |
7955 | 7957 | | |
7956 | 7958 | | |
7957 | 7959 | | |
| |||
40234 | 40236 | | |
40235 | 40237 | | |
40236 | 40238 | | |
40237 | | - | |
| 40239 | + | |
40238 | 40240 | | |
40239 | 40241 | | |
40240 | 40242 | | |
| |||
0 commit comments