jscript: Fix addressing invalid memory if ref is an argument.

`ref` can be negative in case it refers to an argument. Even though scope != frame->base_scope would rule this out (because only base scopes have args), it was checked *after* the memory access, which would read out of bounds memory first. This didn't appear as an issue in practice since it's using the heap pool, so there's probably valid memory before it, but it's still wrong. Signed-off-by: Gabriel Ivăncescu <gabrielopcode@gmail.com>

jscript: Fix addressing invalid memory if ref is an argument.
2173cac6 · Gabriel Ivăncescu · Alexandre Julliard · a184ace4 · 2173cac6
Commit 2173cac6 authored Jun 21, 2023 by Gabriel Ivăncescu Committed by Alexandre Julliard Jun 21, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

engine.c dlls/jscript/engine.c +1 -1

No files found.
--- a/dlls/jscript/engine.c
+++ b/dlls/jscript/engine.c
@@ -657,7 +657,7 @@ static HRESULT detach_scope(script_ctx_t *ctx, call_frame_t *frame, scope_chain_

        if (FAILED(hres = jsdisp_propput_name(scope->jsobj, name, ctx->stack[local_off(frame, ref)])))
            return hres;
-        if (frame->function->variables[ref].func_id != -1 && scope != frame->base_scope
+        if (scope != frame->base_scope && frame->function->variables[ref].func_id != -1
                && FAILED(hres = jsdisp_propput_name(frame->variable_obj, name, ctx->stack[local_off(frame, ref)])))
            return hres;
    }