Skip to content

Fix UAF when handling non-detached var-refs in mapped arguments#1401

Merged
saghul merged 1 commit intomasterfrom
fix-1400
Mar 12, 2026
Merged

Fix UAF when handling non-detached var-refs in mapped arguments#1401
saghul merged 1 commit intomasterfrom
fix-1400

Conversation

@saghul
Copy link
Copy Markdown
Contributor

@saghul saghul commented Mar 12, 2026

js_mapped_arguments_mark was calling mark_func on non-detached var_refs,
which are not GC objects.

Fixes: #1400
@saghul saghul mentioned this pull request Mar 12, 2026
Closed
@saghul
Copy link
Copy Markdown
Contributor Author

saghul commented Mar 12, 2026

Argh, when miving the test into the suite we don't seem to expose gc, lemme check...
@saghul
Fix UAF when handling non-detached var-refs in mapped arguments
67c22dc 
js_mapped_arguments_mark was calling mark_func on non-detached var_refs,
which are not GC objects.

Fixes: #1400
bnoordhuis
bnoordhuis approved these changes Mar 12, 2026
View reviewed changes
tests/test_language.js
/* mapped arguments with GC must not crash (non-detached var_refs) */
function f3(a) {
arguments;
gc();
Copy link
Copy Markdown
Contributor

@bnoordhuis bnoordhuis Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR, can also be invoked through std.gc().
Copy link
Copy Markdown
Contributor Author

@saghul saghul Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In run262 we don't seem to load std so when running with make test I got a reference error, since I thought we might not want to add std there,, I went with the smallest change.
@saghul saghul merged commit 3973106 into master Mar 12, 2026
123 checks passed
@saghul saghul deleted the fix-1400 branch March 12, 2026 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@saghul @bnoordhuis