Gabriel Ivăncescu : jscript: Fix addressing invalid memory if ref is an argument. - wine-commits

21 Jun 2023

Module: wine
Branch: master
Commit: 2173cac68e668eea3d28c30e9fc11ea8ee13fa51
URL:    https://gitlab.winehq.org/wine/wine/-/commit/2173cac68e668eea3d28c30e9fc11ea...
Author: Gabriel Ivăncescu gabrielopcode@gmail.com
Date:   Wed Jun 21 17:58:00 2023 +0300
jscript: Fix addressing invalid memory if ref is an argument.
`ref` can be negative in case it refers to an argument. Even though scope !=
frame->base_scope would rule this out (because only base scopes have args),
it was checked *after* the memory access, which would read out of bounds
memory first. This didn't appear as an issue in practice since it's using the
heap pool, so there's probably valid memory before it, but it's still wrong.
Signed-off-by: Gabriel Ivăncescu gabrielopcode@gmail.com
---
dlls/jscript/engine.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/jscript/engine.c b/dlls/jscript/engine.c
index 9e375294cb5..a4b416ba8ed 100644
--- a/dlls/jscript/engine.c
+++ b/dlls/jscript/engine.c
@@ -657,7 +657,7 @@ static HRESULT detach_scope(script_ctx_t *ctx, call_frame_t *frame, scope_chain_
if (FAILED(hres = jsdisp_propput_name(scope->jsobj, name, ctx->stack[local_off(frame, ref)])))
             return hres;
-        if (frame->function->variables[ref].func_id != -1 && scope != frame->base_scope
+        if (scope != frame->base_scope && frame->function->variables[ref].func_id != -1
                 && FAILED(hres = jsdisp_propput_name(frame->variable_obj, name, ctx->stack[local_off(frame, ref)])))
             return hres;
     }

    