From 73e684f4a8efcb0ecddefea492742acfe448f7cb Mon Sep 17 00:00:00 2001 From: Stefan Siegl Date: Fri, 27 Sep 2024 23:02:48 +0200 Subject: [PATCH] fix zend_string access issues & user after free in error handling code --- v8js_object_export.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/v8js_object_export.cc b/v8js_object_export.cc index 61ba0c95..eca9ae8a 100644 --- a/v8js_object_export.cc +++ b/v8js_object_export.cc @@ -543,7 +543,7 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo& info) if (!info[1]->IsArray()) { error_len = spprintf(&error, 0, "%s::__call expects 2nd parameter to be an array", - ce->name); + ZSTR_VAL(ce->name)); if (error_len > std::numeric_limits::max()) { zend_throw_exception(php_ce_v8js_exception, @@ -607,14 +607,14 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo& info) // okay, look up the method name and manually invoke it. const zend_object_handlers *h = object->handlers; zend_function *method_ptr = h->get_method(&object, method_name, NULL); - zend_string_release(method_name); if (method_ptr == NULL || (method_ptr->common.fn_flags & ZEND_ACC_PUBLIC) == 0 || (method_ptr->common.fn_flags & (ZEND_ACC_CTOR|ZEND_ACC_DTOR)) != 0) { error_len = spprintf(&error, 0, "%s::__call to %s method %s", ZSTR_VAL(ce->name), - (method_ptr == NULL) ? "undefined" : "non-public", method_name); + (method_ptr == NULL) ? "undefined" : "non-public", ZSTR_VAL(method_name)); + zend_string_release(method_name); if (error_len > std::numeric_limits::max()) { zend_throw_exception(php_ce_v8js_exception, @@ -629,6 +629,8 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo& info) return; } + zend_string_release(method_name); + v8::Local tmpl = v8::Local::New (isolate, *reinterpret_cast(self->GetAlignedPointerFromInternalField(0)));