workaround for overflow test in JS_GetOwnPropertyNamesInternal() (#111)

author: Fabrice Bellard <fabrice@bellard.org> 2025-04-05 16:19:25 +0200
committer: Fabrice Bellard <fabrice@bellard.org> 2025-04-05 16:19:25 +0200
commit: c1bf4e99db34ab123a7da0cc6892aa5523ed406d (patch)
tree: ae5e9d4d0e2ddb698bb0c9c09dcd7fbd5827eec8 /quickjs.c
parent: beeb2725cdb31065e84834ef3c31062d3ab0ca61 (diff)
download: quickjs-c1bf4e99db34ab123a7da0cc6892aa5523ed406d.tar.gz
quickjs-c1bf4e99db34ab123a7da0cc6892aa5523ed406d.zip
1 files changed, 15 insertions, 1 deletions
diff --git a/quickjs.c b/quickjs.c
index 8af4d21..ec81c2c 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -7936,7 +7936,21 @@ static int __exception JS_GetOwnPropertyNamesInternal(JSContext *ctx,
 
     /* fill them */
 
-    atom_count = num_keys_count + str_keys_count + sym_keys_count + exotic_keys_count;
+    atom_count = num_keys_count + str_keys_count;
+    if (atom_count < str_keys_count)
+        goto add_overflow;
+    atom_count += sym_keys_count;
+    if (atom_count < sym_keys_count)
+        goto add_overflow;
+    atom_count += exotic_keys_count;
+    if (atom_count < exotic_keys_count || atom_count > INT32_MAX) {
+    add_overflow:
+        JS_ThrowOutOfMemory(ctx);
+        js_free_prop_enum(ctx, tab_exotic, exotic_count);
+        return -1;
+    }
+    /* XXX: need generic way to test for js_malloc(ctx, a * b) overflow */
+    
     /* avoid allocating 0 bytes */
     tab_atom = js_malloc(ctx, sizeof(tab_atom[0]) * max_int(atom_count, 1));
     if (!tab_atom) {
author	Fabrice Bellard <fabrice@bellard.org>	2025-04-05 16:19:25 +0200
committer	Fabrice Bellard <fabrice@bellard.org>	2025-04-05 16:19:25 +0200
commit	c1bf4e99db34ab123a7da0cc6892aa5523ed406d (patch)
tree	ae5e9d4d0e2ddb698bb0c9c09dcd7fbd5827eec8 /quickjs.c
parent	beeb2725cdb31065e84834ef3c31062d3ab0ca61 (diff)
download	quickjs-c1bf4e99db34ab123a7da0cc6892aa5523ed406d.tar.gz quickjs-c1bf4e99db34ab123a7da0cc6892aa5523ed406d.zip