运行ABC文件过程中，函数panda::ecmascript::EcmaString::FlattenNoGC存在空指针异常拒绝服务漏洞

issues:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I7VZER Signed-off-by: rentangyu <rentangyu@huawei.com>
2024-10-06 23:54:03 +00:00 · 2023-08-25 16:52:24 +08:00 · 2023-08-25 16:52:24 +08:00 · d49eac3009
commit d49eac3009
parent 2f63cdec27
7 changed files with 83 additions and 13 deletions
--- a/ecmascript/ecma_string.cpp
+++ b/ecmascript/ecma_string.cpp
@ -890,7 +890,7 @@ EcmaString *EcmaString::Trim(const JSThread *thread, const JSHandle<EcmaString>
    }
 }

-EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string)
+EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string, MemSpaceType type)
 {
    auto thread = vm->GetJSThread();
    ASSERT(EcmaString::Cast(string->GetSecond())->GetLength() != 0);
@ -898,10 +898,10 @@ EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaStr
    uint32_t length = string->GetLength();
    EcmaString *result = nullptr;
    if (string->IsUtf8()) {
-        result = CreateLineString(vm, length, true);
+        result = CreateLineStringWithSpaceType(vm, length, true, type);
        WriteToFlat<uint8_t>(*string, result->GetDataUtf8Writable(), length);
    } else {
-        result = CreateLineString(vm, length, false);
+        result = CreateLineStringWithSpaceType(vm, length, false, type);
        WriteToFlat<uint16_t>(*string, result->GetDataUtf16Writable(), length);
    }
    string->SetFirst(thread, JSTaggedValue(result));
@ -909,7 +909,7 @@ EcmaString *EcmaString::SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaStr
    return result;
 }

-EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string)
+EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string, MemSpaceType type)
 {
    EcmaString *s = *string;
    if (s->IsLineOrConstantString()) {
@ -918,7 +918,7 @@ EcmaString *EcmaString::Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &st
    if (s->IsTreeString()) {
        JSHandle<TreeEcmaString> tree = JSHandle<TreeEcmaString>::Cast(string);
        if (!tree->IsFlat()) {
-            return SlowFlatten(vm, tree);
+            return SlowFlatten(vm, tree, type);
        }
        s = EcmaString::Cast(tree->GetFirst());
    }
--- a/ecmascript/ecma_string.h
+++ b/ecmascript/ecma_string.h
@ -534,9 +534,10 @@ private:
    static const uint16_t *GetUtf16DataFlat(const EcmaString *src, CVector<uint16_t> &buf);

    // string must be not flat
-    static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string);
+    static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string, MemSpaceType type);

-    static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string);
+    static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string,
+                               MemSpaceType type = MemSpaceType::SEMI_SPACE);

    static EcmaString *FlattenNoGC(const EcmaVM *vm, EcmaString *string);

@ -1092,14 +1093,16 @@ public:
        return string_->IsTreeString();
    }

-    static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string)
+    static EcmaString *Flatten(const EcmaVM *vm, const JSHandle<EcmaString> &string,
+        MemSpaceType type = MemSpaceType::SEMI_SPACE)
    {
-        return EcmaString::Flatten(vm, string);
+        return EcmaString::Flatten(vm, string, type);
    }

-    static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string)
+    static EcmaString *SlowFlatten(const EcmaVM *vm, const JSHandle<TreeEcmaString> &string,
+        MemSpaceType type = MemSpaceType::SEMI_SPACE)
    {
-        return EcmaString::SlowFlatten(vm, string);
+        return EcmaString::SlowFlatten(vm, string, type);
    }

    static EcmaString *FlattenNoGC(const EcmaVM *vm, EcmaString *string)
--- a/ecmascript/ecma_string_table.cpp
+++ b/ecmascript/ecma_string_table.cpp
@ -110,7 +110,7 @@ EcmaString *EcmaStringTable::GetOrInternString(const JSHandle<EcmaString> &first
    }
    JSHandle<EcmaString> concatHandle(vm_->GetJSThread(),
        EcmaStringAccessor::Concat(vm_, firstFlat, secondFlat, MemSpaceType::OLD_SPACE));
-    concatString = EcmaStringAccessor::FlattenNoGC(vm_, *concatHandle);
+    concatString = EcmaStringAccessor::Flatten(vm_, concatHandle, MemSpaceType::OLD_SPACE);
    InternString(concatString);
    return concatString;
 }
@ -162,7 +162,7 @@ EcmaString *EcmaStringTable::GetOrInternString(EcmaString *string)
    }
    JSHandle<EcmaString> strHandle(vm_->GetJSThread(), string);
    // may gc
-    auto strFlat = EcmaStringAccessor::FlattenNoGC(vm_, *strHandle);
+    auto strFlat = EcmaStringAccessor::Flatten(vm_, strHandle, MemSpaceType::OLD_SPACE);
    if (EcmaStringAccessor(strFlat).IsInternString()) {
        return strFlat;
    }
--- a/test/moduletest/BUILD.gn
+++ b/test/moduletest/BUILD.gn
@ -45,6 +45,7 @@ group("ark_js_moduletest") {
    "equal",
    "errorhelper",
    "errorcause",
+    "flatten",
    "forawaitof",
    "forin",
    "fortest",
@ -162,6 +163,7 @@ group("ark_asm_test") {
    "ecmastringtable",
    "equal",
    "errorcause",
+    "flatten",
    "forin",
    "fortest",
    "generator",
--- a/test/moduletest/flatten/BUILD.gn
+++ b/test/moduletest/flatten/BUILD.gn
@ -0,0 +1,18 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//arkcompiler/ets_runtime/test/test_helper.gni")
+
+host_moduletest_action("flatten") {
+  deps = []
+}
--- a/test/moduletest/flatten/expect_output.txt
+++ b/test/moduletest/flatten/expect_output.txt
--- a/test/moduletest/flatten/flatten.js
+++ b/test/moduletest/flatten/flatten.js
@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * @tc.name:Flatten
+ * @tc.desc:test Flatten
+ * @tc.type: FUNC
+ * @tc.require: issueI7CTF7
+ */
+const v14 = new Uint8ClampedArray(521);
+let v16 = v14[1973679951];
+v16 ||= v14;
+const v17 = new Int32Array();
+const v18 = v14.join(v16);
+try {
+    Int32Array();
+} catch(e21) {
+    e21.message = v18;
+    print(e21);
+    v17.set(e21, e21);
+}