From e2e48185673afa7b41a7e0ae1c6cbd93792bdf06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1niel=20B=C3=A1tyai?= Date: Mon, 25 May 2020 17:32:42 +0200 Subject: [PATCH] Add stack limit check to proxy operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #3785. JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai@inf.u-szeged.hu --- .../ecma/operations/ecma-proxy-object.c | 4 ++ .../es2015/regression-test-issue-3785.js | 37 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 tests/jerry/es2015/regression-test-issue-3785.js diff --git a/jerry-core/ecma/operations/ecma-proxy-object.c b/jerry-core/ecma/operations/ecma-proxy-object.c index 3e831b85eb..6e75c5d20c 100644 --- a/jerry-core/ecma/operations/ecma-proxy-object.c +++ b/jerry-core/ecma/operations/ecma-proxy-object.c @@ -25,6 +25,7 @@ #include "ecma-objects.h" #include "ecma-objects-general.h" #include "ecma-proxy-object.h" +#include "jcontext.h" /** \addtogroup ecma ECMA * @{ @@ -994,6 +995,7 @@ ecma_proxy_object_has (ecma_object_t *obj_p, /**< proxy object */ ecma_string_t *prop_name_p) /**< property name */ { JERRY_ASSERT (ECMA_OBJECT_IS_PROXY (obj_p)); + ECMA_CHECK_STACK_USAGE (); ecma_proxy_object_t *proxy_obj_p = (ecma_proxy_object_t *) obj_p; @@ -1097,6 +1099,7 @@ ecma_proxy_object_get (ecma_object_t *obj_p, /**< proxy object */ ecma_value_t receiver) /**< receiver to invoke getter function */ { JERRY_ASSERT (ECMA_OBJECT_IS_PROXY (obj_p)); + ECMA_CHECK_STACK_USAGE (); ecma_proxy_object_t *proxy_obj_p = (ecma_proxy_object_t *) obj_p; @@ -1201,6 +1204,7 @@ ecma_proxy_object_set (ecma_object_t *obj_p, /**< proxy object */ ecma_value_t receiver) /**< receiver to invoke setter function */ { JERRY_ASSERT (ECMA_OBJECT_IS_PROXY (obj_p)); + ECMA_CHECK_STACK_USAGE (); ecma_proxy_object_t *proxy_obj_p = (ecma_proxy_object_t *) obj_p; diff --git a/tests/jerry/es2015/regression-test-issue-3785.js b/tests/jerry/es2015/regression-test-issue-3785.js new file mode 100644 index 0000000000..be034a8425 --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-3785.js @@ -0,0 +1,37 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +var a = new Proxy({length:2}, {}); +a.__proto__ = a; + +try { + a[1]; + assert (false); +} catch (e) { + assert (e instanceof RangeError); +} + +try { + a[1] = 2; + assert (false); +} catch (e) { + assert (e instanceof RangeError); +} + +try { + Array.prototype.forEach.call(a, ()=>{}); + assert (false); +} catch (e) { + assert (e instanceof RangeError); +}