From c4e29ad07ed26d1a033da3de896fc555faabc0fb Mon Sep 17 00:00:00 2001 From: Thomas Barber Date: Sat, 24 Feb 2024 09:27:36 +0000 Subject: [PATCH] Foxhound: tainting StringBuffer before String creation --- js/src/builtin/String.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp index cd82b37f3e311..c04905cff1d52 100644 --- a/js/src/builtin/String.cpp +++ b/js/src/builtin/String.cpp @@ -3688,18 +3688,18 @@ static JSString* ReplaceAll(JSContext* cx, JSLinearString* string, return nullptr; } - // Step 16. - auto* resultString = result.finishString(); - if (!resultString) { - return nullptr; - } - // Taintfox: extend the taint flow if(result.taint().hasTaint()) { result.taint().extend( TaintOperationFromContextJSString(cx, "replaceAll", true, searchString, replaceString)); } + // Step 16. + auto* resultString = result.finishString(); + if (!resultString) { + return nullptr; + } + return resultString; }