1 files changed, 38 insertions, 0 deletions

diff --git a/libproxy-0.4.15-mozjs-use-after-free.patch b/libproxy-0.4.15-mozjs-use-after-free.patch
new file mode 100644
index 0000000..f63a394
--- /dev/null
+++ b/libproxy-0.4.15-mozjs-use-after-free.patch
@@ -0,0 +1,38 @@
+From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 1 May 2020 19:04:22 +0100
+Subject: [PATCH] mozjs: Avoid use-after-free
+
+If we don't assign the temporary std::string returned by
+url_.to_string() to a variable, then it immediately goes out of scope
+and is freed, resulting in the result of c_str() pointing into freed
+memory. This works about as well as you would expect.
+
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ libproxy/modules/pacrunner_mozjs.cpp | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
+index ade6d0a..aac6531 100644
+--- a/libproxy/modules/pacrunner_mozjs.cpp
++++ b/libproxy/modules/pacrunner_mozjs.cpp
+@@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner {
+ 
+ 	string run(const url& url_) throw (bad_alloc) {
+ 		// Build arguments to the FindProxyForURL() function
+-		const char *tmpurl  = url_.to_string().c_str();
+-		const char *tmphost = url_.get_host().c_str();
+-		if (!tmpurl || !tmphost) {
+-			throw bad_alloc();
+-		}
++		string tmpurl(url_.to_string());
++		string tmphost(url_.get_host());
+ 		JS::AutoValueArray<2> args(this->jsctx);
+-		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl));
+-		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost));
++		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str()));
++		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str()));
+ 
+ 		// Find the proxy (call FindProxyForURL())
+ 		JS::RootedValue rval(this->jsctx);