From d1b02413884099bd2c438a6416b674a3a855cae4 Mon Sep 17 00:00:00 2001
From: Enno Boland <gottox@voidlinux.org>
Date: Tue, 30 May 2023 18:00:45 +0200
Subject: [PATCH] quickjs: Fix stack overflow in CVE-2023-31922

---
 .../patch-gh-issue-178-cve-2023-31922.patch   | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch

diff --git a/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch b/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch
new file mode 100644
index 000000000000..754924c60639
--- /dev/null
+++ b/srcpkgs/quickjs/patches/patch-gh-issue-178-cve-2023-31922.patch
@@ -0,0 +1,42 @@
+From 056459314305f666aee132565df710c42f41ec04 Mon Sep 17 00:00:00 2001
+From: Nick Vatamaniuc <vatamane@gmail.com>
+Date: Sun, 28 May 2023 01:50:46 -0400
+Subject: [PATCH] Fix stack overflow in CVE-2023-31922
+
+isArray and proxy isArray can call each other indefinitely in a mutually
+recursive loop.
+
+Add a stack overflow check in the js_proxy_isArray function before calling
+JS_isArray(ctx, s->target).
+
+With ASAN the the poc.js from issue 178:
+
+```
+./qjs ./poc.js
+InternalError: stack overflow
+  at isArray (native)
+  at <eval> (./poc.js:4)
+```
+
+Fix: https://github.com/bellard/quickjs/issues/178
+---
+ quickjs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/quickjs.c b/quickjs.c
+index 79160139..a3b0b55f 100644
+--- a/quickjs.c
++++ b/quickjs.c
+@@ -45243,6 +45243,12 @@ static int js_proxy_isArray(JSContext *ctx, JSValueConst obj)
+     JSProxyData *s = JS_GetOpaque(obj, JS_CLASS_PROXY);
+     if (!s)
+         return FALSE;
++
++    if (js_check_stack_overflow(ctx->rt, 0)) {
++        JS_ThrowStackOverflow(ctx);
++        return -1;
++    }
++
+     if (s->is_revoked) {
+         JS_ThrowTypeErrorRevokedProxy(ctx);
+         return -1;