[gjs/gnome-3-36] function: Don't crash if a callback doesn't return an array of values

[Philip Chimento <pchimento src gnome org>]

commit 5a8b9bb6a7b5847e17ecd3a58d6ace70601d5a64
Author: Marco Trevisan (Treviño) <mail 3v1n0 net>
Date:   Tue Mar 17 18:07:52 2020 +0100

    function: Don't crash if a callback doesn't return an array of values
    
    When a function returns multiple values, we expect to have an array,
    however gjs doesn't do any strong check on this and we just assume that
    JS just returned us an array, and this may lead to a crash when calling
    JS_GetElement on an value that isn't an object or an array.
    
    So, check if that the JS function just returned us an array, and warn in
    case this didn't happen.

 gi/function.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
---
diff --git a/gi/function.cpp b/gi/function.cpp
index 45662f83..038dffa1 100644
--- a/gi/function.cpp
+++ b/gi/function.cpp
@@ -390,6 +390,21 @@ static void gjs_callback_closure(ffi_cif* cif G_GNUC_UNUSED, void* result,
             break;
         }
     } else {
+        bool is_array = rval.isObject();
+        if (!JS_IsArrayObject(context, rval, &is_array))
+            goto out;
+
+        if (!is_array) {
+            JSFunction* fn = gjs_closure_get_callable(trampoline->js_function);
+            gjs_throw(context,
+                      "Function %s (%s.%s) returned unexpected value, "
+                      "expecting an Array",
+                      gjs_debug_string(JS_GetFunctionDisplayId(fn)).c_str(),
+                      g_base_info_get_namespace(trampoline->info),
+                      g_base_info_get_name(trampoline->info));
+            goto out;
+        }
+
         JS::RootedValue elem(context);
         JS::RootedObject out_array(context, rval.toObjectOrNull());
         gsize elem_idx = 0;