Use-after-free in js_print_object in QuickJS

In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.

N/A

释放后使用

QuickJS 安全漏洞

QuickJS是QuickJS开源的一个小型且可嵌入的 Javascript 引擎。 QuickJS存在安全漏洞，该漏洞源于js_print_object函数在打印数组和集合对象时未正确处理回调期间的数组大小变化，可能导致释放后重用。

N/A

N/A