fix: heap use-after-free for JS::UniqueChars

Xmader · Xmader · commit 0f3039b6135b · 2024-09-04T23:48:57.000Z
`JS::UniqueChars` will free the string buffer in its destructor, so it must be kept alive until the end of the function
diff --git a/src/PyObjectProxyHandler.cc b/src/PyObjectProxyHandler.cc
@@ -44,8 +44,9 @@ bool PyObjectProxyHandler::handleGetOwnPropertyDescriptor(JSContext *cx, JS::Han
   JS::MutableHandle<mozilla::Maybe<JS::PropertyDescriptor>> desc, PyObject *item) {
   // see if we're calling a function
   if (id.isString()) {
-    JS::RootedString idString(cx, id.toString());
-    const char *methodName = JS_EncodeStringToUTF8(cx, idString).get();
+    JS::UniqueChars idString = JS_EncodeStringToUTF8(cx, JS::RootedString(cx, id.toString()));
+    const char *methodName = idString.get();
+
     if (!strcmp(methodName, "toString") || !strcmp(methodName, "toLocaleString") || !strcmp(methodName, "valueOf")) {
       JS::RootedObject objectPrototype(cx);
       if (!JS_GetClassPrototype(cx, JSProto_Object, &objectPrototype)) {
