mirror of
https://gitee.com/openharmony/arkcompiler_ets_runtime
synced 2024-10-07 08:03:29 +00:00
!4684 运行ABC文件过程中,函数panda::ecmascript::EcmaString::FlattenNoGC存在空指针异常拒绝服务漏洞
Merge pull request !4684 from 任堂宇/master
This commit is contained in:
commit
24c7bffc31
@ -890,7 +890,7 @@ EcmaString *EcmaString::Trim(const JSThread *thread, const JSHandle<EcmaString>
|
||||
}
|
||||
}
|
||||
|
||||
EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string)
|
||||
EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string, MemSpaceType type)
|
||||
{
|
||||
auto thread = vm->GetJSThread();
|
||||
ASSERT(EcmaString::Cast(string->GetSecond())->GetLength() != 0);
|
||||
@ -898,10 +898,10 @@ EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaStr
|
||||
uint32_t length = string->GetLength();
|
||||
EcmaString *result = nullptr;
|
||||
if (string->IsUtf8()) {
|
||||
result = CreateLineString(vm, length, true);
|
||||
result = CreateLineStringWithSpaceType(vm, length, true, type);
|
||||
WriteToFlat<uint8_t>(*string, result->GetDataUtf8Writable(), length);
|
||||
} else {
|
||||
result = CreateLineString(vm, length, false);
|
||||
result = CreateLineStringWithSpaceType(vm, length, false, type);
|
||||
WriteToFlat<uint16_t>(*string, result->GetDataUtf16Writable(), length);
|
||||
}
|
||||
string->SetFirst(thread, JSTaggedValue(result));
|
||||
@ -909,7 +909,7 @@ EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaStr
|
||||
return result;
|
||||
}
|
||||
|
||||
EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string)
|
||||
EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string, MemSpaceType type)
|
||||
{
|
||||
EcmaString *s = *string;
|
||||
if (s->IsLineOrConstantString()) {
|
||||
@ -918,7 +918,7 @@ EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &st
|
||||
if (s->IsTreeString()) {
|
||||
JSHandle<TreeEcmaString> tree = JSHandle<TreeEcmaString>::Cast(string);
|
||||
if (!tree->IsFlat()) {
|
||||
return SlowFlatten(vm, tree);
|
||||
return SlowFlatten(vm, tree, type);
|
||||
}
|
||||
s = EcmaString::Cast(tree->GetFirst());
|
||||
}
|
||||
|
@ -534,9 +534,10 @@ private:
|
||||
static const uint16_t *GetUtf16DataFlat(const EcmaString *src, CVector<uint16_t> &buf);
|
||||
|
||||
// string must be not flat
|
||||
static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string);
|
||||
static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string, MemSpaceType type);
|
||||
|
||||
static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string);
|
||||
static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string,
|
||||
MemSpaceType type = MemSpaceType::SEMI_SPACE);
|
||||
|
||||
static EcmaString *FlattenNoGC(const EcmaVM *vm, EcmaString *string);
|
||||
|
||||
@ -1092,14 +1093,16 @@ public:
|
||||
return string_->IsTreeString();
|
||||
}
|
||||
|
||||
static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string)
|
||||
static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string,
|
||||
MemSpaceType type = MemSpaceType::SEMI_SPACE)
|
||||
{
|
||||
return EcmaString::Flatten(vm, string);
|
||||
return EcmaString::Flatten(vm, string, type);
|
||||
}
|
||||
|
||||
static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string)
|
||||
static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string,
|
||||
MemSpaceType type = MemSpaceType::SEMI_SPACE)
|
||||
{
|
||||
return EcmaString::SlowFlatten(vm, string);
|
||||
return EcmaString::SlowFlatten(vm, string, type);
|
||||
}
|
||||
|
||||
static EcmaString *FlattenNoGC(const EcmaVM *vm, EcmaString *string)
|
||||
|
@ -110,7 +110,7 @@ EcmaString *EcmaStringTable::GetOrInternString(const JSHandle<EcmaString> &first
|
||||
}
|
||||
JSHandle<EcmaString> concatHandle(vm_->GetJSThread(),
|
||||
EcmaStringAccessor::Concat(vm_, firstFlat, secondFlat, MemSpaceType::OLD_SPACE));
|
||||
concatString = EcmaStringAccessor::FlattenNoGC(vm_, *concatHandle);
|
||||
concatString = EcmaStringAccessor::Flatten(vm_, concatHandle, MemSpaceType::OLD_SPACE);
|
||||
InternString(concatString);
|
||||
return concatString;
|
||||
}
|
||||
@ -162,7 +162,7 @@ EcmaString *EcmaStringTable::GetOrInternString(EcmaString *string)
|
||||
}
|
||||
JSHandle<EcmaString> strHandle(vm_->GetJSThread(), string);
|
||||
// may gc
|
||||
auto strFlat = EcmaStringAccessor::FlattenNoGC(vm_, *strHandle);
|
||||
auto strFlat = EcmaStringAccessor::Flatten(vm_, strHandle, MemSpaceType::OLD_SPACE);
|
||||
if (EcmaStringAccessor(strFlat).IsInternString()) {
|
||||
return strFlat;
|
||||
}
|
||||
|
@ -46,6 +46,7 @@ group("ark_js_moduletest") {
|
||||
"equal",
|
||||
"errorhelper",
|
||||
"errorcause",
|
||||
"flatten",
|
||||
"forawaitof",
|
||||
"forin",
|
||||
"fortest",
|
||||
@ -164,6 +165,7 @@ group("ark_asm_test") {
|
||||
"ecmastringtable",
|
||||
"equal",
|
||||
"errorcause",
|
||||
"flatten",
|
||||
"forin",
|
||||
"fortest",
|
||||
"generator",
|
||||
|
18
test/moduletest/flatten/BUILD.gn
Normal file
18
test/moduletest/flatten/BUILD.gn
Normal file
@ -0,0 +1,18 @@
|
||||
# Copyright (c) 2023 Huawei Device Co., Ltd.
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import("//arkcompiler/ets_runtime/test/test_helper.gni")
|
||||
|
||||
host_moduletest_action("flatten") {
|
||||
deps = []
|
||||
}
|
14
test/moduletest/flatten/expect_output.txt
Normal file
14
test/moduletest/flatten/expect_output.txt
Normal file
File diff suppressed because one or more lines are too long
33
test/moduletest/flatten/flatten.js
Normal file
33
test/moduletest/flatten/flatten.js
Normal file
@ -0,0 +1,33 @@
|
||||
/*
|
||||
* Copyright (c) 2023 Huawei Device Co., Ltd.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @tc.name:Flatten
|
||||
* @tc.desc:test Flatten
|
||||
* @tc.type: FUNC
|
||||
* @tc.require: issueI7CTF7
|
||||
*/
|
||||
const v14 = new Uint8ClampedArray(521);
|
||||
let v16 = v14[1973679951];
|
||||
v16 ||= v14;
|
||||
const v17 = new Int32Array();
|
||||
const v18 = v14.join(v16);
|
||||
try {
|
||||
Int32Array();
|
||||
} catch(e21) {
|
||||
e21.message = v18;
|
||||
print(e21);
|
||||
v17.set(e21, e21);
|
||||
}
|
Loading…
Reference in New Issue
Block a user