You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.6 KiB
38 lines
1.6 KiB
From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001 |
|
From: Simon McVittie <smcv@debian.org> |
|
Date: Fri, 1 May 2020 19:04:22 +0100 |
|
Subject: [PATCH] mozjs: Avoid use-after-free |
|
|
|
If we don't assign the temporary std::string returned by |
|
url_.to_string() to a variable, then it immediately goes out of scope |
|
and is freed, resulting in the result of c_str() pointing into freed |
|
memory. This works about as well as you would expect. |
|
|
|
Signed-off-by: Simon McVittie <smcv@debian.org> |
|
--- |
|
libproxy/modules/pacrunner_mozjs.cpp | 11 ++++------- |
|
1 file changed, 4 insertions(+), 7 deletions(-) |
|
|
|
diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp |
|
index ade6d0a..aac6531 100644 |
|
--- a/libproxy/modules/pacrunner_mozjs.cpp |
|
+++ b/libproxy/modules/pacrunner_mozjs.cpp |
|
@@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner { |
|
|
|
string run(const url& url_) throw (bad_alloc) { |
|
// Build arguments to the FindProxyForURL() function |
|
- const char *tmpurl = url_.to_string().c_str(); |
|
- const char *tmphost = url_.get_host().c_str(); |
|
- if (!tmpurl || !tmphost) { |
|
- throw bad_alloc(); |
|
- } |
|
+ string tmpurl(url_.to_string()); |
|
+ string tmphost(url_.get_host()); |
|
JS::AutoValueArray<2> args(this->jsctx); |
|
- args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl)); |
|
- args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost)); |
|
+ args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str())); |
|
+ args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str())); |
|
|
|
// Find the proxy (call FindProxyForURL()) |
|
JS::RootedValue rval(this->jsctx);
|
|
|