View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009963Talerqtartpublic2025-05-15 12:412025-05-15 13:06
Reporterfefe Assigned ToFlorian Dold  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Versiongit (master) 
Target Versionpost-1.0 
Summary0009963: concurrency issue with using JS_GetArrayBuffer?
DescriptionThe qtard code uses JS_GetArrayBuffer to get pointers to the contents of incoming function arguments, like here:

 293 uint8_t *expect_fixed_buffer(JSContext *ctx,
 294 JSValue val, size_t len,
 295 const char *msg)
 296 {
 297 uint8_t *buf;
 298 size_t sz;
 299
 300 buf = JS_GetArrayBuffer(ctx, &sz, val);
 301 if (!buf) {
 302 return NULL;
 303 }
 304 if (sz != len) {
 305 JS_ThrowTypeError(ctx, "invalid length for %s", msg);
 306 return NULL;
 307 }
 308 return buf;
 309 }

The function JS_GetArrayBuffer has this warning on top of it:

53702 /* return NULL if exception. WARNING: any JS call can detach the
53703 buffer and render the returned pointer invalid */
53704 uint8_t *JS_GetArrayBuffer(JSContext *ctx, size_t *psize, JSValueConst obj)

I was wondering if there is a chance that another thread could race us and resize the variable. Not sure how this is supposed to work but it feels dangerous to me. The threat would be malicious javascript code, so probably not a huge concern for mobile apps, but if we open a security boundary like this, we should make sure.
Tagssecurity

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-05-15 12:41 fefe New Issue
2025-05-15 13:06 Christian Grothoff Assigned To => Florian Dold
2025-05-15 13:06 Christian Grothoff Status new => assigned
2025-05-15 13:06 Christian Grothoff Product Version => git (master)
2025-05-15 13:06 Christian Grothoff Target Version => post-1.0
2025-05-15 13:06 Christian Grothoff Tag Attached: security