From c4f5c1130ecd2acd8760d22f14b42504e9f6f561 Mon Sep 17 00:00:00 2001
From: zhouwenxuan <zhouwenxuan1@huawei.com>
Date: Mon, 20 Feb 2023 19:28:59 +0800
Subject: [PATCH] Fix vulnerability CVE-2021-42863

issue: https://gitee.com/openharmony/third_party_jerryscript/issues/I6GFVO

Signed-off-by: zhouwenxuan <zhouwenxuan1@huawei.com>
---
 .../ecma-builtin-typedarray-prototype.c       | 39 ++++++++++++-------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c b/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c
index f4dd0d94..0aa0a58d 100644
--- a/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c
+++ b/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c
@@ -721,9 +721,7 @@ ecma_builtin_typedarray_prototype_filter (ecma_value_t this_arg, /**< this argum
     return ecma_op_create_typedarray_with_type_and_length (info.id, 0);
   }
 
-  JMEM_DEFINE_LOCAL_ARRAY (pass_value_list_p, info.length * info.element_size, lit_utf8_byte_t);
-
-  lit_utf8_byte_t *pass_value_p = pass_value_list_p;
+  ecma_collection_t *collected_p = ecma_new_collection ();
   ecma_length_t byte_pos = 0;
 
   for (uint32_t index = 0; index < info.length; index++)
@@ -739,41 +737,56 @@ ecma_builtin_typedarray_prototype_filter (ecma_value_t this_arg, /**< this argum
     ecma_value_t call_value = ecma_op_function_call (func_object_p, cb_this_arg, call_args, 3);
 
     ecma_fast_free_value (current_index);
-    ecma_fast_free_value (get_value);
 
     if (ECMA_IS_VALUE_ERROR (call_value))
     {
+      ecma_fast_free_value (get_value);
       goto cleanup;
     }
 
     if (ecma_op_to_boolean (call_value))
     {
-      memcpy (pass_value_p, info.buffer_p + byte_pos, info.element_size);
-      pass_value_p += info.element_size;
+      ecma_collection_push_back (collected_p, get_value);
+    }
+    else
+    {
+      ecma_fast_free_value (get_value);
     }
 
     byte_pos += info.element_size;
 
-    ecma_free_value (call_value);
+    ecma_fast_free_value (call_value);
   }
 
-  uint32_t pass_num = (uint32_t) ((pass_value_p - pass_value_list_p) >> info.shift);
+  ecma_value_t collected = ecma_make_number_value (collected_p->item_count);
 
   ret_value = ecma_op_create_typedarray_with_type_and_length (info.id, pass_num);
 
   if (!ECMA_IS_VALUE_ERROR (ret_value))
   {
     obj_p = ecma_get_object_from_value (ret_value);
+    ecma_typedarray_info_t target_info = ecma_typedarray_get_info (obj_p);
 
-    JERRY_ASSERT (ecma_typedarray_get_offset (obj_p) == 0);
+    JERRY_ASSERT (target_info.offset == 0);
 
-    memcpy (ecma_typedarray_get_buffer (obj_p),
-            pass_value_list_p,
-            (size_t) (pass_value_p - pass_value_list_p));
+    ecma_typedarray_setter_fn_t target_typedarray_setter_cb = ecma_get_typedarray_setter_fn (target_info.id);
+    uint32_t target_byte_index = 0;
+    for (uint32_t idx = 0; idx < collected_p->item_count; idx++)
+    {
+      ecma_value_t set_element = target_typedarray_setter_cb (target_info.buffer_p + target_byte_index,
+                                                              collected_p->buffer_p[idx]);
+
+      if (ECMA_IS_VALUE_ERROR (set_element))
+      {
+        goto cleanup;
+      }
+
+      target_byte_index += target_info.element_size;
+    }
   }
 
 cleanup:
-  JMEM_FINALIZE_LOCAL_ARRAY (pass_value_list_p);
+  ecma_collection_free (collected_p);
 
   return ret_value;
 } /* ecma_builtin_typedarray_prototype_filter */
-- 
Gitee