Opened on 04/16/2017 at 07:09:25 PM
Closed on 10/11/2017 at 05:15:49 PM
#5147 closed change (fixed)
[emscripten] Prevent use-after-free from JavaScript
| Reported by: | trev | Assignee: | hfiguiere |
|---|---|---|---|
| Priority: | P2 | Milestone: | |
| Module: | Core | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | #4122 | Platform: | Unknown / Cross platform |
| Ready: | yes | Confidential: | no |
| Tester: | Unknown | Verified working: | no |
| Review URL(s): | |||
Description
Background
Once delete() is called on a JavaScript wrapper of a C++ class, that wrapper should no longer be used. This isn't currently being enforced.
What to change
Change implementation of delete() to booby trap this._pointer - retrieving this property should produce an exception. This will make sure that no calls into C++ can be performed via this wrappper.
Attachments (0)
Change History (4)
comment:1 Changed on 10/10/2017 at 09:49:45 PM by hfiguiere
- Owner set to hfiguiere
comment:2 Changed on 10/10/2017 at 09:51:06 PM by hfiguiere
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:3 Changed on 10/11/2017 at 05:15:13 PM by abpbot
comment:4 Changed on 10/11/2017 at 05:15:49 PM by hfiguiere
- Resolution set to fixed
- Status changed from reviewing to closed
Note: See
TracTickets for help on using
tickets.
A commit referencing this issue has landed:
Issue 5147 - Invalidate wrapper on delete