From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 1 May 2020 19:04:22 +0100 Subject: [PATCH] mozjs: Avoid use-after-free If we don't assign the temporary std::string returned by url_.to_string() to a variable, then it immediately goes out of scope and is freed, resulting in the result of c_str() pointing into freed memory. This works about as well as you would expect. Signed-off-by: Simon McVittie --- libproxy/modules/pacrunner_mozjs.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp index ade6d0a..aac6531 100644 --- a/libproxy/modules/pacrunner_mozjs.cpp +++ b/libproxy/modules/pacrunner_mozjs.cpp @@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner { string run(const url& url_) throw (bad_alloc) { // Build arguments to the FindProxyForURL() function - const char *tmpurl = url_.to_string().c_str(); - const char *tmphost = url_.get_host().c_str(); - if (!tmpurl || !tmphost) { - throw bad_alloc(); - } + string tmpurl(url_.to_string()); + string tmphost(url_.get_host()); JS::AutoValueArray<2> args(this->jsctx); - args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl)); - args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost)); + args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str())); + args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str())); // Find the proxy (call FindProxyForURL()) JS::RootedValue rval(this->jsctx);