| 123456789101112131415161718192021222324252627282930313233343536373839 |
- From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001
- From: Simon McVittie <smcv@debian.org>
- Date: Fri, 1 May 2020 19:04:22 +0100
- Subject: [PATCH] mozjs: Avoid use-after-free
- If we don't assign the temporary std::string returned by
- url_.to_string() to a variable, then it immediately goes out of scope
- and is freed, resulting in the result of c_str() pointing into freed
- memory. This works about as well as you would expect.
- Signed-off-by: Simon McVittie <smcv@debian.org>
- ---
- libproxy/modules/pacrunner_mozjs.cpp | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
- diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
- index ade6d0a..aac6531 100644
- --- a/libproxy/modules/pacrunner_mozjs.cpp
- +++ b/libproxy/modules/pacrunner_mozjs.cpp
- @@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner {
-
- string run(const url& url_) throw (bad_alloc) {
- // Build arguments to the FindProxyForURL() function
- - const char *tmpurl = url_.to_string().c_str();
- - const char *tmphost = url_.get_host().c_str();
- - if (!tmpurl || !tmphost) {
- - throw bad_alloc();
- - }
- + string tmpurl(url_.to_string());
- + string tmphost(url_.get_host());
- JS::AutoValueArray<2> args(this->jsctx);
- - args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl));
- - args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost));
- + args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str()));
- + args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str()));
-
- // Find the proxy (call FindProxyForURL())
- JS::RootedValue rval(this->jsctx);
|
