• src/sbbs3/exec.cpp js_archive.c js_conio.c js_console.cpp js_file.c js

    From Rob Swindell (on Windows 11)@VERT to Git commit to main/sbbs/master on Wednesday, August 07, 2024 19:53:21
    https://gitlab.synchro.net/main/sbbs/-/commit/545231455f58e87234016d4c
    Modified Files:
    src/sbbs3/exec.cpp js_archive.c js_conio.c js_console.cpp js_file.c js_filebase.c js_global.c js_internal.c js_msgbase.c js_socket.c js_system.c main.cpp websrvr.c
    Log Message:
    Prevent NULL pointer dereference when 'null' object passed to JS functions

    As was discovered as part of investigation into issue #769, a JavaScript
    could crash SBBS (cause a segfault) due to a NULL pointer dereference when
    the script passes 'null' to native JS functions where an object is expected.

    The issue raised was with console.gotoxy(), but it turns out that *many* Synchronet native JS functions would call JSVAL_TO_OBJECT() and then, without checking for NULL/nullptr, pass its return value to JS api functions such as JS_GetPrivate, JS_GetProperty, JS_GetClass, JS_ObjectIsFunction, JS_IsArrayObject, JS_GetArrayLength, JS_DefineProperty, JS_Enumerate, etc.
    All of these JS API functions dereference the passed object pointer without NULL/nullptr checking.

    The fix here is to either call JSVAL_IS_NULL() or JSVAL_NULL_OR_VOID() and
    if true, not call JSVAL_TO_OBJECT() and/or check the return value for the NULL value before using as an argument to any other JS API functions.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net