Opened 3 years ago

Closed 2 years ago

#5147 closed change (fixed)

[emscripten] Prevent use-after-free from JavaScript

Reported by: trev Assignee: hfiguiere
Priority: P2 Milestone:
Module: Core Keywords:
Cc: Blocked By:
Blocking: #4122 Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

https://codereview.adblockplus.org/29573044/

Description

Background

Once delete() is called on a JavaScript wrapper of a C++ class, that wrapper should no longer be used. This isn't currently being enforced.

What to change

Change implementation of delete() to booby trap this._pointer - retrieving this property should produce an exception. This will make sure that no calls into C++ can be performed via this wrappper.

Change History (4)

comment:1 Changed 2 years ago by hfiguiere

  • Owner set to hfiguiere

comment:2 Changed 2 years ago by hfiguiere

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:3 Changed 2 years ago by abpbot

A commit referencing this issue has landed:
Issue 5147 - Invalidate wrapper on delete

comment:4 Changed 2 years ago by hfiguiere

  • Resolution set to fixed
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.