commit 18f142740af8ae86f3503c4ce4eef2981a8c631d
parent 9c9b41573c09b4650793b0c943d657ca16006262
Author: Bryan Thrall <bthrall@mozilla.com>
Date: Tue, 6 Jan 2026 16:56:38 +0000
Bug 2004509 - Report errors when JSStructuredCloneReader::readSavedFrameHeader() returns null r=mgaudet
Differential Revision: https://phabricator.services.mozilla.com/D277952
Diffstat:
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/js/src/jit-test/tests/structured-clone/bug2004509.js b/js/src/jit-test/tests/structured-clone/bug2004509.js
@@ -0,0 +1,36 @@
+// |jit-test|
+
+load(libdir + "asserts.js");
+
+function assert(x)
+{
+ if (x){
+ return;
+ }
+ throw new Error("assertion failed");
+}
+
+function f() { return saveStack(); }
+function g() { return f(); }
+
+let stack = g();
+let clonebuf = serialize(stack, undefined, {scope: "DifferentProcess"});
+let data = clonebuf.clonebuffer;
+
+let boolPattern = String.fromCharCode(0x02, 0x00, 0xFF, 0xFF);
+let boolIndex = data.indexOf(boolPattern);
+assert(boolIndex >= 0);
+
+let stringPattern = String.fromCharCode(0x04, 0x00, 0xFF, 0xFF);
+let stringIndex = data.indexOf(stringPattern, boolIndex + 8);
+assert(stringIndex >= 0);
+
+// SCTAG_STRING -> SCTAG_INT32
+let corrupted = data.substring(0, stringIndex) +
+ String.fromCharCode(0x03, 0x00, 0xFF, 0xFF) +
+ data.substring(stringIndex + 4);
+
+let buf = serialize("dummy");
+buf.clonebuffer = corrupted;
+
+assertThrowsInstanceOf(() => deserialize(buf), Error);
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
@@ -3670,7 +3670,13 @@ JSObject* JSStructuredCloneReader::readSavedFrameHeader(
}
if (mutedErrors.isBoolean()) {
- if (!startRead(&source, AtomizeStrings) || !source.isString()) {
+ if (!startRead(&source, AtomizeStrings)) {
+ return nullptr;
+ }
+ if (!source.isString()) {
+ JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,
+ JSMSG_SC_BAD_SERIALIZED_DATA,
+ "bad source string");
return nullptr;
}
} else if (mutedErrors.isString()) {
