Bug#834556: Improve handling of 'sourceURL' on JSEvaluateScript (and avoid segmentation fault)

Sergio Durigan Junior Tue, 16 Aug 2016 18:09:56 -0700

Package: libjavascriptcore-1.0-0
Version: 2.4.11-2
Tags: patch

Hi there,


As reported on #688640 and #834236, a recent update of
libjavascriptcore-1.0-0 broke Midori 0.5.11-ds1-3, causing a
segmentation fault right on startup.

The reason for this is the incorrect/not-so-strict handling of the
'sourceURL' argument on JSEvaluateScript (from
Source/JavaScriptCore/API/JSBase.cpp).  Midori passes 'sourceURL' as
NULL (and always did), but recently, because JSEvaluateScript tries to
call the ->string() method of the object, the code crashes there.

Anyway, I fixed this on Midori by passing an empty JSString object to
JSEvaluateScript, but I see that WebKit upstream takes better care of
the 'sourceURL' argument and checks if it is not NULL before accessing
its members.  Therefore, I'd like to propose the attached fix (which is
basically a backport of the upstream code) for the current version of
WebKit.  I haven't tested it as I am currently in a not very powerful
machine, so I appreciate reviews and tests.

Also, the bug number on 'Closes' is invalid (because I still don't have
the bug number), so please adjust it before applying the patch.

Let me know if there is anything else you need.

Thanks,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

From 0806eafc0243dd6df62cdfbb1e61f4ee42adcef4 Mon Sep 17 00:00:00 2001
From: Sergio Durigan Junior <sergi...@sergiodj.net>
Date: Tue, 16 Aug 2016 20:58:57 -0400
Subject: [PATCH] Improve handling of 'sourceURL' on JSEvaluateScript.

The current code of JSEvaluateScript
(Source/JavaScriptCore/API/JSBase.cpp) does not check if 'sourceURL'
is NULL before trying to access its members, causing a segmentation
fault on some scenarios.  This patch improves the code by checking for
NULL and passing a String() if needed.

Closes: #123456
---
 debian/changelog                                   |  9 +++++++++
 .../fix-javascriptcoregtk-sourceURL-handling.patch | 22 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 32 insertions(+)
 create mode 100644 debian/patches/fix-javascriptcoregtk-sourceURL-handling.patch

diff --git a/debian/changelog b/debian/changelog
index 4673c8f..aeb660b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,18 @@
 webkitgtk (2.4.11-3) UNRELEASED; urgency=medium
 
+  [ Jeremy Bicha ]
   * debian/control:
     - Bump breaks/replaces for libwebkitgtk-doc split since Ubuntu
       packaged 2.4.11 before taking the split (Closes: #833308)
 
+  [ Sergio Durigan Junior ]
+  * Improve handling of 'sourceURL' on JSEvaluateScript.
+    The current code of JSEvaluateScript
+    (Source/JavaScriptCore/API/JSBase.cpp) does not check if 'sourceURL'
+    is NULL before trying to access its members, causing a segmentation
+    fault on some scenarios.  This patch improves the code by checking for
+    NULL and passing a String() if needed. (Closes: #123456)
+
  -- Jeremy Bicha <jbi...@ubuntu.com>  Tue, 02 Aug 2016 14:39:17 -0400
 
 webkitgtk (2.4.11-2) unstable; urgency=medium
diff --git a/debian/patches/fix-javascriptcoregtk-sourceURL-handling.patch b/debian/patches/fix-javascriptcoregtk-sourceURL-handling.patch
new file mode 100644
index 0000000..d99cdf5
--- /dev/null
+++ b/debian/patches/fix-javascriptcoregtk-sourceURL-handling.patch
@@ -0,0 +1,22 @@
+Index: webkit/Source/JavaScriptCore/API/JSBase.cpp
+===================================================================
+--- webkit.orig/Source/JavaScriptCore/API/JSBase.cpp	2016-08-16 20:40:13.223460059 -0400
++++ webkit/Source/JavaScriptCore/API/JSBase.cpp	2016-08-16 20:46:15.244442388 -0400
+@@ -57,7 +57,7 @@
+ 
+     // evaluate sets "this" to the global object if it is NULL
+     JSGlobalObject* globalObject = exec->vmEntryGlobalObject();
+-    SourceCode source = makeSource(script->string(), sourceURL->string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first()));
++    SourceCode source = makeSource(script->string(), sourceURL ? sourceURL->string() : String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first()));
+ 
+     JSValue evaluationException;
+     JSValue returnValue = evaluate(globalObject->globalExec(), source, jsThisObject, &evaluationException);
+@@ -86,7 +86,7 @@
+ 
+     startingLineNumber = std::max(1, startingLineNumber);
+ 
+-    SourceCode source = makeSource(script->string(), sourceURL->string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first()));
++    SourceCode source = makeSource(script->string(), sourceURL ? sourceURL->string() : String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first()));
+     
+     JSValue syntaxException;
+     bool isValidSyntax = checkSyntax(exec->vmEntryGlobalObject()->globalExec(), source, &syntaxException);
diff --git a/debian/patches/series b/debian/patches/series
index ca1231e..724725f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ x32_support.patch
 disable-jit-nonsse2.patch
 fix-ftbfs-m68k.patch
 fix-ftbfs-gcc6.patch
+fix-javascriptcoregtk-sourceURL-handling.patch
-- 
2.8.1

signature.asc
Description: PGP signature

Bug#834556: Improve handling of 'sourceURL' on JSEvaluateScript (and avoid segmentation fault)

Reply via email to