Remove potential use-after-free data corruption in ByteArray.toString. (!472) · Merge requests · GNOME / gjs

Evan Welsh requested to merge ewlsh/bytearray-to-string into master Aug 12, 2020

If a garbage collection occurs between when we call js::GetUint8ArrayLengthAndData and gjs_string_from_utf8 in ByteArray.toString a use-after-free corruption can occur if the garbage collector shifts the location of the Uint8Array's private data. To mitigate this we call js::GetUint8ArrayLengthAndData again and then compare if the length and pointer are still the same. If the pointers differ, we use the slow path to ensure no data corruption occurred.

Fixes #339 (closed)

Remove potential use-after-free data corruption in ByteArray.toString.

Merge request reports