Skip to content

Commit 376a73e

Browse files
committed
fix conditional expression bug and add array.length()
1 parent 8ada2c9 commit 376a73e

7 files changed

Lines changed: 34 additions & 8 deletions

Release/vuln_javascript.exe

0 Bytes
Binary file not shown.

javascript_envirment.cpp

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -321,7 +321,7 @@ static bool execute_function_call(string& express) {
321321
return eval_function(express);
322322
}
323323

324-
static bool execute_calculation_term(string& express) {
324+
bool execute_calculation_term(string& express) {
325325
if (INVALID_VALUE!=express.find("==")) {
326326
if (express_calcu(express.substr(0,express.find("==")))) {
327327
copy_variant(JAVASCRIPT_VARIANT_KEYNAME_EXPRESS_LEFT_RESULT,JAVASCRIPT_VARIANT_KEYNAME_CALCULATION_RESULT);
@@ -426,6 +426,16 @@ static bool execute_calculation_term(string& express) {
426426
}
427427
}
428428
}
429+
} else {
430+
if (!express.empty()) {
431+
if (express_calcu(express)) {
432+
unsigned long calcu_term_value=0;
433+
support_javascript_variant_type calcu_term_value_type=NONE;
434+
get_variant(JAVASCRIPT_VARIANT_KEYNAME_CALCULATION_RESULT,(void*)&calcu_term_value,&calcu_term_value_type);
435+
if (calcu_term_value)
436+
return true;
437+
}
438+
}
429439
}
430440
return false;
431441
}
@@ -438,10 +448,10 @@ bool express_calcu(string express) {
438448
} else if (execute_function_call(express)) {
439449
copy_variant(JAVASCRIPT_VARIANT_KEYNAME_CALCULATION_RESULT,JAVASCRIPT_VARIANT_KEYNAME_FUNCTION_RESULT);
440450
return true;
441-
} else if (execute_calculation_term(express)) {
451+
}/* else if (execute_calculation_term(express)) {
442452
copy_variant(JAVASCRIPT_VARIANT_KEYNAME_CALCULATION_RESULT,JAVASCRIPT_VARIANT_KEYNAME_FUNCTION_RESULT);
443453
return true;
444-
}
454+
}*/
445455
express_type express_type_=get_express_type(express);
446456
if (EXPRESSION_UNKNOW!=express_type_) {
447457
if (EXPRESSION_NUMBER_DECIMAL==express_type_) {

javascript_envirment.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,6 @@ using std::string;
1111
bool init_javascript_envirment(void);
1212
bool eval(string express);
1313
bool express_calcu(string express);
14+
bool execute_calculation_term(string& express);
1415

1516
#endif

javascript_function.cpp

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,14 @@ static bool string_object_length(string& object) {
156156
return true;
157157
}
158158

159+
static bool array_object_length(string& object) {
160+
base_array* array_class=NULL;
161+
support_javascript_variant_type array_class_type=NONE;
162+
get_variant(object,(void*)&array_class,&array_class_type);
163+
set_variant(JAVASCRIPT_VARIANT_KEYNAME_FUNCTION_RESULT,(void*)array_class->length(),NUMBER);
164+
return true;
165+
}
166+
159167
void init_native_function(void) {
160168
local_function_table[JAVASCRIPT_NATIVE_OBJECT_CONSOLE]["log"].is_native_function=true;
161169
local_function_table[JAVASCRIPT_NATIVE_OBJECT_CONSOLE]["log"].native_function=console_log;
@@ -225,6 +233,12 @@ static bool call_javascript_object_native_function(string base_object,string fun
225233
return true;
226234
}
227235
}
236+
} else if (INT_ARRAY==variant_type) {
237+
if ("length"==function_name)
238+
return array_object_length(base_object);
239+
} else if (OBJECT_ARRAY==variant_type) {
240+
if ("length"==function_name)
241+
return array_object_length(base_object);
228242
}
229243
}
230244
return false;
@@ -273,7 +287,8 @@ bool eval_function(string express) { // console.log(express); or console.log(e
273287
trim(express);
274288
unsigned long first_left_bracket_index=express.find('(');
275289
unsigned long match_right_bracket_index=get_matching_outside_right_bracket(express,0);
276-
if (INVALID_VALUE==first_left_bracket_index || INVALID_VALUE==match_right_bracket_index)
290+
unsigned long equal_index=express.find('=');
291+
if (INVALID_VALUE==first_left_bracket_index || INVALID_VALUE==match_right_bracket_index || INVALID_VALUE!=equal_index)
277292
return false;
278293

279294
string function_name(express.substr(0,first_left_bracket_index));
@@ -318,7 +333,7 @@ bool eval_function(string express) { // console.log(express); or console.log(e
318333
}
319334
trim(object_name);
320335
trim(function_name);
321-
if (!is_exist_native_object(object_name) && is_exist_variant(object_name))
336+
if (is_exist_variant(object_name))
322337
return call_javascript_object_native_function(object_name,function_name,function_argments_list);
323338
if (is_exist_native_object_function(object_name,function_name)) {
324339
if (local_function_table[object_name][function_name].is_native_function) {

javascript_syntax.cpp

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ bool eval_for(string& express) {
4343
trim(express);
4444

4545
while (true) {
46-
if (!express_calcu(term))
46+
if (!execute_calculation_term(term))
4747
return false;
4848
unsigned long eval_result=0;
4949
support_javascript_variant_type eval_result_type=NONE;
@@ -75,7 +75,7 @@ bool eval_if(string& express) {
7575
}
7676
trim(express);
7777

78-
unsigned long left_bracket_index=express.find('('),right_bracket_index=express.find(')');
78+
unsigned long left_bracket_index=express.find('('),right_bracket_index=get_matching_outside_right_bracket(express,0);
7979
string if_term;
8080
if (INVALID_VALUE!=left_bracket_index && INVALID_VALUE!=right_bracket_index) { // check if term syntax ..
8181
if_term=express.substr(left_bracket_index+1,right_bracket_index-left_bracket_index-1);
@@ -100,7 +100,7 @@ bool eval_if(string& express) {
100100
}
101101

102102
if (!if_term.empty()) {
103-
if (express_calcu(if_term)) {
103+
if (execute_calculation_term(if_term)) {
104104
unsigned long term_calcu_result=0;
105105
support_javascript_variant_type term_calcu_result_type=NONE;
106106
get_variant(JAVASCRIPT_VARIANT_KEYNAME_FUNCTION_RESULT,(void*)&term_calcu_result,&term_calcu_result_type);

vuln_javascript.ncb

0 Bytes
Binary file not shown.

vuln_javascript.opt

1 KB
Binary file not shown.

0 commit comments

Comments
 (0)