Fix possible use after free in Array#forEach if the array resizes halfway (#408)

2025-04-25 07:02:13 +00:00 · 2019-01-09 20:06:34 +08:00 · 2019-01-09 20:06:34 +08:00 · 9ec226de1b
commit 9ec226de1b
parent 20f4092eb2
4 changed files with 1328 additions and 986 deletions
--- a/std/assembly/array.ts
+++ b/std/assembly/array.ts
@ -250,9 +250,8 @@ export class Array<T> {
  }

  forEach(callbackfn: (value: T, index: i32, array: Array<T>) => void): void {
-    var buffer = this.buffer_;
    for (let index = 0, toIndex = this.length_; index < toIndex && index < this.length_; ++index) {
-      callbackfn(LOAD<T>(buffer, index), index, this);
+      callbackfn(LOAD<T>(this.buffer_, index), index, this);
    }
  }

--- a/tests/compiler/std/array.optimized.wat
+++ b/tests/compiler/std/array.optimized.wat
--- a/tests/compiler/std/array.ts
+++ b/tests/compiler/std/array.ts
@ -537,7 +537,34 @@ assert(arr.length == 2);
 arr.push(2);
 arr.push(3);

-
+// Test rehash action effec
+arr.forEach((value: i32, index: i32, array: Array<i32>): void => {
+  if (index == 0) {
+    for (let i = 0; i < 4; i++) {
+      array.pop();
+    }
+    for (let i = 0; i < 100; i++) {
+      array.push(100 + i);
+    }
+    for (let i = 0; i < 100; i++) {
+      array.pop();
+    }
+    for (let i = 0; i < 100; i++) {
+      array.push(i + 200);
+    }
+  }
+  if (index == 2) {
+    assert(value == 202);
+  }
+});
+assert(arr.length == 100)
+for (let i = 0; i < 100; i++) {
+  arr.pop();
+}
+arr.push(0);
+arr.push(1);
+arr.push(2);
+arr.push(3);
 // Array#map ///////////////////////////////////////////////////////////////////////////////////////

 var newArr: f32[] = arr.map<f32>((value: i32, index: i32, array: Array<i32>): f32 => <f32>value);
--- a/tests/compiler/std/array.untouched.wat
+++ b/tests/compiler/std/array.untouched.wat