From 110f1053a68f21882d10a8bd86d3ce838f4f2206 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E5=BF=A0=E9=BD=90?= <wangzhongqi5@huawei.com>
Date: Tue, 22 Jul 2025 16:38:08 +0800
Subject: [PATCH] fix uaf in OH_JSVM_CloseHandleScope
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 王忠齐 <wangzhongqi5@huawei.com>
---
 src/js_native_api_v8.cpp |  1 +
 src/jsvm_env.h           | 27 ++++++++++++++++++++-------
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/js_native_api_v8.cpp b/src/js_native_api_v8.cpp
index 1efcc74..84a2b66 100644
--- a/src/js_native_api_v8.cpp
+++ b/src/js_native_api_v8.cpp
@@ -4491,6 +4491,7 @@ JSVM_Status OH_JSVM_RetainScript(JSVM_Env env, JSVM_Script script)
 
     jsvmData->taggedPointer = v8::Global<v8::Script>(env->isolate, jsvmData->ToV8Local<v8::Script>(env->isolate));
 
+    env->RetainJsvmData(jsvmData);
     jsvmData->isGlobal = true;
     return ClearLastError(env);
 }
diff --git a/src/jsvm_env.h b/src/jsvm_env.h
index 05e8724..756df3d 100644
--- a/src/jsvm_env.h
+++ b/src/jsvm_env.h
@@ -16,6 +16,7 @@
 #ifndef JSVM_ENV_H
 #define JSVM_ENV_H
 #include <functional>
+#include <list>
 #include <mutex>
 #include <vector>
 
@@ -132,25 +133,37 @@ public:
     template<typename T>
     JSVM_Script_Data__* NewJsvmData(T srcPtr, JSVM_Script_Data__::DataType type = JSVM_Script_Data__::kJsvmScript)
     {
-        if (dataStack.empty() || openHandleScopes != dataStack.top().first) {
-            dataStack.emplace(openHandleScopes, std::vector<JSVM_Script_Data__*>());
+        if (dataStack.size() == 0 || openHandleScopes != dataStack.back().first) {
+            dataStack.emplace_back(openHandleScopes, std::list<JSVM_Script_Data__*>());
         }
         auto newData = new JSVM_Script_Data__(srcPtr, false, type);
-        dataStack.top().second.push_back(newData);
+        dataStack.back().second.push_back(newData);
         return newData;
     }
 
     void ReleaseJsvmData()
     {
-        if (dataStack.empty() || openHandleScopes != dataStack.top().first) {
+        if (dataStack.size() == 0 || openHandleScopes != dataStack.back().first) {
             return;
         }
-        for (auto data : dataStack.top().second) {
+        for (auto data : dataStack.back().second) {
             if (!data->isGlobal) {
                 delete data;
             }
         }
-        dataStack.pop();
+        dataStack.pop_back();
+    }
+
+    void RetainJsvmData(JSVM_Script_Data__* data)
+    {
+        for (auto iter = dataStack.rbegin(); iter != dataStack.rend(); ++iter) {
+            auto& current = iter->second;
+            auto globalData = std::find(current.begin(), current.end(), data);
+            if (globalData != current.end()) {
+                current.erase(globalData);
+                break;
+            }
+        }
     }
 
     // Shortcut for context()->GetIsolate()
@@ -168,7 +181,7 @@ public:
     v8impl::RefList finalizerList;
 
     // Store v8::Data
-    std::stack<std::pair<int, std::vector<JSVM_Script_Data__*>>> dataStack;
+    std::vector<std::pair<int, std::list<JSVM_Script_Data__*>>> dataStack;
 
     // Store external instance data
     void* instanceData = nullptr;
-- 
Gitee