Fix set_global() use after free.

theduke · Mar 15, 2021 · e759be0 · e759be0
1 parent 05998ab
commit e759be0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/src/bindings.rs b/src/bindings.rs
@@ -748,6 +748,9 @@ impl<'a> OwnedObjectRef<'a> {
         }
     }
 
+    // Set a property on an object.
+    // NOTE: this method takes ownership of the `JSValue`, so it must not be
+    // freed later.
     unsafe fn set_property_raw(&self, name: &str, value: q::JSValue) -> Result<(), ExecutionError> {
         let cname = make_cstring(name)?;
         let ret = q::JS_SetPropertyStr(
@@ -765,7 +768,12 @@ impl<'a> OwnedObjectRef<'a> {
 
     pub fn set_property(&self, name: &str, value: JsValue) -> Result<(), ExecutionError> {
         let qval = self.value.context.serialize_value(value)?;
-        unsafe { self.set_property_raw(name, qval.value) }
+        unsafe {
+            self.set_property_raw(name, qval.value)?;
+            // set_property_raw takes ownership, so we must prevent a free.
+            std::mem::forget(qval);
+        }
+        Ok(())
     }
 }
 

diff --git a/src/tests.rs b/src/tests.rs
@@ -605,3 +605,10 @@ fn test_console() {
         ]
     );
 }
+
+#[test]
+fn test_global_setter() {
+    let ctx = Context::new().unwrap();
+    ctx.set_global("a", "a").unwrap();
+    ctx.eval("a + 1").unwrap();
+}