mirrors/phpv8
mirrors/phpv8
0
0
Fork 0
mirror of https://github.com/phpv8/v8js.git synced 2024-12-22 08:11:52 +00:00
Code Releases Activity

fix zend_string access issues & user after free in error handling code

Browse Source
This commit is contained in:
Stefan Siegl 2024-09-27 23:02:48 +02:00
parent cba24df614
commit 73e684f4a8
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
v8js_object_export.cc
View File

@ -543,7 +543,7 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
if (!info[1]->IsArray()) { if (!info[1]->IsArray()) {
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call expects 2nd parameter to be an array", "%s::__call expects 2nd parameter to be an array",
ce->name); ZSTR_VAL(ce->name));
if (error_len > std::numeric_limits<int>::max()) { if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception, zend_throw_exception(php_ce_v8js_exception,
@ -607,14 +607,14 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
// okay, look up the method name and manually invoke it. // okay, look up the method name and manually invoke it.
const zend_object_handlers *h = object->handlers; const zend_object_handlers *h = object->handlers;
zend_function *method_ptr = h->get_method(&object, method_name, NULL); zend_function *method_ptr = h->get_method(&object, method_name, NULL);
zend_string_release(method_name);
if (method_ptr == NULL || if (method_ptr == NULL ||
(method_ptr->common.fn_flags & ZEND_ACC_PUBLIC) == 0 || (method_ptr->common.fn_flags & ZEND_ACC_PUBLIC) == 0 ||
(method_ptr->common.fn_flags & (ZEND_ACC_CTOR|ZEND_ACC_DTOR)) != 0) { (method_ptr->common.fn_flags & (ZEND_ACC_CTOR|ZEND_ACC_DTOR)) != 0) {
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call to %s method %s", ZSTR_VAL(ce->name), "%s::__call to %s method %s", ZSTR_VAL(ce->name),
(method_ptr == NULL) ? "undefined" : "non-public", method_name); (method_ptr == NULL) ? "undefined" : "non-public", ZSTR_VAL(method_name));
zend_string_release(method_name);
if (error_len > std::numeric_limits<int>::max()) { if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception, zend_throw_exception(php_ce_v8js_exception,
@ -629,6 +629,8 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
return; return;
} }
zend_string_release(method_name);
v8::Local<v8::FunctionTemplate> tmpl = v8::Local<v8::FunctionTemplate> tmpl =
v8::Local<v8::FunctionTemplate>::New v8::Local<v8::FunctionTemplate>::New
(isolate, *reinterpret_cast<v8js_function_tmpl_t *>(self->GetAlignedPointerFromInternalField(0))); (isolate, *reinterpret_cast<v8js_function_tmpl_t *>(self->GetAlignedPointerFromInternalField(0)));