From 097dd4197074c5566664e5668fd49db97bfd06dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ole=20Andr=C3=A9=20Vadla=20Ravn=C3=A5s?= Date: Thu, 11 Jan 2024 14:16:44 +0100 Subject: [PATCH] gumjs: Fix use-after-free in Stalker QuickJS callback logic We need to keep the callback values alive in case Stalker.garbageCollect() happens in the middle and releases them. Co-authored-by: Alex Soler Co-authored-by: Francesco Tamagni --- bindings/gumjs/gumquickeventsink.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/bindings/gumjs/gumquickeventsink.c b/bindings/gumjs/gumquickeventsink.c index 3fba7d9dc..2e921f7cc 100644 --- a/bindings/gumjs/gumquickeventsink.c +++ b/bindings/gumjs/gumquickeventsink.c @@ -306,6 +306,7 @@ gum_quick_js_event_sink_drain (GumQuickJSEventSink * self) if (!JS_IsNull (self->on_call_summary)) { + JSValue callback; JSValue summary; GHashTable * frequencies; GumCallEvent * ev; @@ -314,6 +315,8 @@ gum_quick_js_event_sink_drain (GumQuickJSEventSink * self) gpointer target, count; gchar target_str[32]; + callback = JS_DupValue (ctx, self->on_call_summary); + summary = JS_NewObject (ctx); frequencies = g_hash_table_new (NULL, NULL); @@ -346,16 +349,19 @@ gum_quick_js_event_sink_drain (GumQuickJSEventSink * self) g_hash_table_unref (frequencies); - _gum_quick_scope_call_void (&scope, self->on_call_summary, JS_UNDEFINED, - 1, &summary); + _gum_quick_scope_call_void (&scope, callback, JS_UNDEFINED, 1, &summary); JS_FreeValue (ctx, summary); + JS_FreeValue (ctx, callback); } if (!JS_IsNull (self->on_receive)) { - _gum_quick_scope_call_void (&scope, self->on_receive, JS_UNDEFINED, - 1, &buffer_val); + JSValue callback = JS_DupValue (ctx, self->on_receive); + + _gum_quick_scope_call_void (&scope, callback, JS_UNDEFINED, 1, &buffer_val); + + JS_FreeValue (ctx, callback); } JS_FreeValue (ctx, buffer_val);