Skip to content

Check for NULL object references in deserializer#1327

Merged
bnoordhuis merged 1 commit intoquickjs-ng:masterfrom
bnoordhuis:fix1321
Feb 1, 2026
Merged

Check for NULL object references in deserializer#1327
bnoordhuis merged 1 commit intoquickjs-ng:masterfrom
bnoordhuis:fix1321

Conversation

@bnoordhuis
Copy link
Contributor

@bnoordhuis bnoordhuis commented Feb 1, 2026

JS_ReadTypedArray contains a hack where it briefly puts a NULL object pointer in the object reference table to work around a chicken-and-egg problem.

Malicious or corrupt BJSON could reference that entry while it was still NULL and trigger a segfault. Guard against that.

Fixes: #1321

@bnoordhuis
Check for NULL object references in deserializer
71017c3 
JS_ReadTypedArray contains a hack where it briefly puts a NULL object
pointer in the object reference table to work around a chicken-and-egg
problem.

Malicious or corrupt BJSON could reference that entry while it was
still NULL and trigger a segfault. Guard against that.

Fixes: quickjs-ng#1321
@bnoordhuis bnoordhuis mentioned this pull request Feb 1, 2026
Closed
@bnoordhuis bnoordhuis merged commit 5c47676 into quickjs-ng:master Feb 1, 2026
122 checks passed
@bnoordhuis bnoordhuis deleted the fix1321 branch February 1, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saghul saghul saghul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NULL Pointer Dereference in bjson (JS_ReadTypedArray)

2 participants

@bnoordhuis @saghul