Fix stack overflow in CVE-2023-31922 #182
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
isArray and proxy isArray can call each other indefinitely in a mutually recursive loop. Add a stack overflow check in the js_proxy_isArray function before calling JS_isArray(ctx, s->target). With ASAN the the poc.js from issue 178: ``` ./qjs ./poc.js InternalError: stack overflow at isArray (native) at <eval> (./poc.js:4) ``` Fix: bellard#178
rweickelt
pushed a commit
to rweickelt/qbs
that referenced
this pull request
Jun 20, 2023
As published here: bellard/quickjs#182 Change-Id: Icec59a726df1b9015860e23d1f8e603927dd2908
qtprojectorg
pushed a commit
to qbs/qbs
that referenced
this pull request
Jun 20, 2023
As published here: bellard/quickjs#182 Change-Id: Icec59a726df1b9015860e23d1f8e603927dd2908 Reviewed-by: Ivan Komissarov <[email protected]>
past-due
added a commit
to Warzone2100/quickjs-wz
that referenced
this pull request
Sep 13, 2023
See: bellard/quickjs#182 Co-Authored-By: Nick Vatamaniuc <[email protected]>
past-due
added a commit
to Warzone2100/quickjs-wz
that referenced
this pull request
Sep 13, 2023
See: bellard/quickjs#182 Co-Authored-By: Nick Vatamaniuc <[email protected]>
|
Noting that this was merged into quickjs-ng quickjs-ng/quickjs#157 |
|
The patch had been sent to the mailing list https://www.freelists.org/post/quickjs-devel/patch-Stack-overflow-fix-for-CVE202331922 previously and has now been merged to master here as well: 03cc5ec |
|
Closing as merged |
|
@nickva thanks for getting this addressed and fixed! |
GerHobbelt
pushed a commit
to GerHobbelt/quickjs
that referenced
this pull request
Sep 14, 2024
…d#182) Bumps [ws](https://github.com/websockets/ws) from 8.16.0 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.16.0...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
isArrayand proxyisArraycan call each other indefinitely in a mutually recursive loop.Add a stack overflow check in the
js_proxy_isArrayfunction before callingJS_isArray(ctx, s->target).With ASAN and the poc.js from issue #178:
Fix: #178