From 056459314305f666aee132565df710c42f41ec04 Mon Sep 17 00:00:00 2001
From: Nick Vatamaniuc <vatamane@gmail.com>
Date: Sun, 28 May 2023 01:50:46 -0400
Subject: [PATCH] Fix stack overflow in CVE-2023-31922

isArray and proxy isArray can call each other indefinitely in a mutually
recursive loop.

Add a stack overflow check in the js_proxy_isArray function before calling
JS_isArray(ctx, s->target).

With ASAN the the poc.js from issue 178:

```
./qjs ./poc.js
InternalError: stack overflow
  at isArray (native)
  at <eval> (./poc.js:4)
```

Fix: https://github.com/bellard/quickjs/issues/178
---
 quickjs.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/quickjs.c b/quickjs.c
index 79160139..a3b0b55f 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -45243,6 +45243,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
     JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
     if (!s)
         return FALSE;
+
+    if (js_check_stack_overflow(ctx->rt, 0)) {
+        JS_ThrowStackOverflow(ctx);
+        return -1;
+    }
+
     if (s->is_revoked) {
         JS_ThrowTypeErrorRevokedProxy(ctx);
         return -1;