Foxhound: tainting StringBuffer before String creation

SAP · Feb 24, 2024 · c4e29ad · c4e29ad
1 parent 70c41d5
commit c4e29ad
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
@@ -3688,18 +3688,18 @@ static JSString* ReplaceAll(JSContext* cx, JSLinearString* string,
     return nullptr;
   }
 
-  // Step 16.
-  auto* resultString = result.finishString();
-  if (!resultString) {
-    return nullptr;
-  }
-
   // Taintfox: extend the taint flow
   if(result.taint().hasTaint()) {
     result.taint().extend(
       TaintOperationFromContextJSString(cx, "replaceAll", true, searchString, replaceString));
   }
 
+  // Step 16.
+  auto* resultString = result.finishString();
+  if (!resultString) {
+    return nullptr;
+  }
+
   return resultString;
 }