Null pointer dereference in quick_js::bindings::OwnedObjectRef::property

[DarkRTA]

The following snippet of code causes a null pointer to be passed as the first argument of JS_GetPropertyStr, causing a null pointer dereference in JS_NewAtomLen

https://github.com/theduke/quickjs-rs/blob/941b3610e7d8e95de99369c9935a79fbbab0a7d3/src/bindings/value.rs#L427

use quick_js::Context;

fn main() {
    let context = Context::new().unwrap();
    context.eval(r#"
(async function() {
    await new Promise((r,j)=>{for(let i = 0; i < 20; i++);})
})()
    "#).unwrap();
}

[andrieshiemstra]

Hi

This method will return or resolve to null because you don't return the result of your inner promise.. plus you don't resolve your inner promise so even if you return it the outer async func will never resolve..

do this...

(async function() {
    return await new Promise((r,j)=>{for(let i = 0; i < 20; i++) {}; r(123);})
})()

i only tested this in my own fork so no promises about this working in quickjs-rs

[DarkRTA]

That's not the point. The point is that no code you run in the JS engine should cause memory safety issues, especially when this crash is caused by this crate and not quickjs itself.

I've tested this in the quickjs interpreter (outside of this crate) and it did not crash at all, so this is entirely an issue with the bindings.

[andrieshiemstra]

Ah i see, well it's not really an issue with the bindings but with the wrapper.

I tried this with my own wrapper (which uses the bindings of this repo) and it neatly returns a never resolving Promise..

Sorry i can't be of more help