From 6593ccc9a33c1537f13f470e9bdf5a64d6e77a22 Mon Sep 17 00:00:00 2001 From: Yonggang Luo Date: Fri, 15 Jan 2021 07:10:53 -0800 Subject: [PATCH] Fix free of NULL value in function ecma_typedarray_helper_dispatch_construct Currently, ecma_op_get_prototype_from_constructor may return NULL and the function didn't raise that exception. Also optimize multiple assignment of prototype_obj_p and multiple access of JERRY_CONTEXT (current_new_target) out. This fixes https://github.com/jerryscript-project/jerryscript/issues/4463 JerryScript-DCO-1.0-Signed-off-by: Yonggang Luo luoyonggang@gmail.com --- .../ecma-builtin-typedarray-helpers.c | 23 +++++++-- .../es.next/regression-test-issue-4463.js | 50 +++++++++++++++++++ 2 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 tests/jerry/es.next/regression-test-issue-4463.js diff --git a/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c b/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c index f361402861..97ab61b47d 100644 --- a/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c +++ b/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c @@ -20,6 +20,7 @@ #include "ecma-builtins.h" #include "ecma-gc.h" #include "ecma-objects.h" +#include "ecma-exceptions.h" #include "ecma-typedarray-object.h" #include "ecma-function-object.h" #include "jcontext.h" @@ -40,11 +41,25 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p, { JERRY_ASSERT (arguments_list_len == 0 || arguments_list_p != NULL); ecma_builtin_id_t proto_id = ecma_typedarray_helper_get_prototype_id (typedarray_id); - ecma_object_t *prototype_obj_p = ecma_builtin_get (proto_id); + ecma_object_t *current_new_target_p = JERRY_CONTEXT (current_new_target); + ecma_object_t *prototype_obj_p; - if (JERRY_CONTEXT (current_new_target)) + if (current_new_target_p != NULL) { - prototype_obj_p = ecma_op_get_prototype_from_constructor (JERRY_CONTEXT (current_new_target), proto_id); + prototype_obj_p = ecma_op_get_prototype_from_constructor (current_new_target_p, proto_id); + if (jcontext_has_pending_exception ()) + { + return ECMA_VALUE_ERROR; + } + } + else + { + prototype_obj_p = ecma_builtin_get (proto_id); + } + + if (prototype_obj_p == NULL) + { + return ecma_raise_type_error (ECMA_ERR_MSG ("TypedArray constructor should have prototype")); } ecma_value_t val = ecma_op_create_typedarray (arguments_list_p, @@ -53,7 +68,7 @@ ecma_typedarray_helper_dispatch_construct (const ecma_value_t *arguments_list_p, ecma_typedarray_helper_get_shift_size (typedarray_id), typedarray_id); - if (JERRY_CONTEXT (current_new_target)) + if (current_new_target_p != NULL) { ecma_deref_object (prototype_obj_p); } diff --git a/tests/jerry/es.next/regression-test-issue-4463.js b/tests/jerry/es.next/regression-test-issue-4463.js new file mode 100644 index 0000000000..4d6b48d346 --- /dev/null +++ b/tests/jerry/es.next/regression-test-issue-4463.js @@ -0,0 +1,50 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +function Test262Error(message) { + this.message = message || ""; +} + +Test262Error.prototype.toString = function () { + return "Test262Error: " + this.message; +}; + +var newTarget = function () {}.bind(null); +Object.defineProperty(newTarget, "prototype", { + get() { + throw new Test262Error(); + }, +}); + +var typedArrayConstructors = [ + Float64Array, + Float32Array, + Int32Array, + Int16Array, + Int8Array, + Uint32Array, + Uint16Array, + Uint8Array, + Uint8ClampedArray, +]; + +for (var type of typedArrayConstructors) { + try { + Reflect.construct(Uint8ClampedArray, [], newTarget); + } catch (error) { + if (!(error instanceof Test262Error)) { + throw "error must be instanceof Test262Error"; + } + } +}