Check for NULL object references in deserializer (#1327)

bnoordhuis · web-flow · commit 5c47676bba9a · 2026-02-01T14:54:25.000+01:00
JS_ReadTypedArray contains a hack where it briefly puts a NULL object pointer in the object reference table to work around a chicken-and-egg problem. Malicious or corrupt BJSON could reference that entry while it was still NULL and trigger a segfault. Guard against that. Fixes: #1321
diff --git a/quickjs.c b/quickjs.c
@@ -38649,7 +38649,7 @@ static JSValue JS_ReadObjectRec(BCReaderState *s)
             if (bc_get_leb128(s, &val))
                 return JS_EXCEPTION;
             bc_read_trace(s, "%u\n", val);
-            if (val >= s->objects_count) {
+            if (val >= s->objects_count || !s->objects[val]) {
                 return JS_ThrowSyntaxError(ctx, "invalid object reference (%u >= %u)",
                                            val, s->objects_count);
             }
diff --git a/tests/test_bjson.js b/tests/test_bjson.js
@@ -268,15 +268,15 @@ function bjson_test_bytecode()
     var buf, o, r, e, i;
 
     o = std.evalScript(";(function f(o){ return o.i })", {compile_only: true});
-    buf = bjson.write(o, /*JS_WRITE_OBJ_BYTECODE*/(1 << 0));
+    buf = bjson.write(o, bjson.WRITE_OBJ_BYTECODE);
     try {
         bjson.read(buf, 0, buf.byteLength);
     } catch (_e) {
         e = _e;
     }
     assert(String(e), "SyntaxError: no bytecode allowed");
 
-    o = bjson.read(buf, 0, buf.byteLength, /*JS_READ_OBJ_BYTECODE*/(1 << 0));
+    o = bjson.read(buf, 0, buf.byteLength, bjson.READ_OBJ_BYTECODE);
     assert(String(o), "[function bytecode]");
     o = std.evalScript(o, {eval_function: true});
     for (i = 0; i < 42; i++) o({i}); // exercise o.i IC
@@ -285,15 +285,16 @@ function bjson_test_bytecode()
 function bjson_test_fuzz()
 {
     var corpus = [
-        "FxAAAAAABGA=",
-        "F+bm5oIt",
-        "FwARABMGBgYGBgYGBgYGBv////8QABEALxH/vy8R/78=",
-        "FwAIfwAK/////3//////////////////////////////3/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAAAAAD5+fn5+fn5+fn5+fkAAAAAAAYAqw==",
+        ["FxAAAAAABGA="],
+        ["F+bm5oIt"],
+        ["FwARABMGBgYGBgYGBgYGBv////8QABEALxH/vy8R/78="],
+        ["FwAIfwAK/////3//////////////////////////////3/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAAAAAD5+fn5+fn5+fn5+fkAAAAAAAYAqw=="],
+        ["FwAOAAAAFAA=", bjson.READ_OBJ_REFERENCE],
     ];
-  for (var input of corpus) {
+    for (var [input, flags] of corpus) {
         var buf = base64decode(input);
         try {
-            bjson.read(buf, 0, buf.byteLength);
+            bjson.read(buf, 0, buf.byteLength, flags);
         } catch (e) {
             if (/invalid version/.test(e.message)) throw e; // corpus needs update
         }

Original file line number	Diff line number	Diff line change
`@@ -38649,7 +38649,7 @@ static JSValue JS_ReadObjectRec(BCReaderState *s)`
`38649`	`38649`	`if (bc_get_leb128(s, &val))`
`38650`	`38650`	`return JS_EXCEPTION;`
`38651`	`38651`	`bc_read_trace(s, "%u\n", val);`
`38652`		`- if (val >= s->objects_count) {`
	`38652`	`+ if (val >= s->objects_count \|\| !s->objects[val]) {`
`38653`	`38653`	`return JS_ThrowSyntaxError(ctx, "invalid object reference (%u >= %u)",`
`38654`	`38654`	`val, s->objects_count);`
`38655`	`38655`	`}`