Fix dup2 when newfd is invalid (#22048)

Fixes: #22040

Author: sbc100

src/library_fs.js

@@ -449,6 +449,9 @@ FS.staticInit();` +
     // object isn't directly passed in. not possible until
     // SOCKFS is completed.
     createStream(stream, fd = -1) {
+#if ASSERTIONS
+      assert(fd >= -1);
+#endif
 
       // clone it, so we can return an instance of FSStream
       stream = Object.assign(new FS.FSStream(), stream);

src/library_syscall.js

@@ -1009,6 +1009,8 @@ var SyscallsLibrary = {
     assert(!flags);
 #endif
     if (old.fd === newfd) return -{{{ cDefs.EINVAL }}};
+    // Check newfd is within range of valid open file descriptors.
+    if (newfd < 0 || newfd >= FS.MAX_OPEN_FDS) return -{{{ cDefs.EBADF }}};
     var existing = FS.getStream(newfd);
     if (existing) FS.close(existing);
     return FS.dupStream(old, newfd).fd;

test/unistd/dup.c

@@ -43,14 +43,26 @@ int main() {
   printf("\n");
   errno = 0;
 
-  printf("DUP2 err\n");
+  printf("DUP2 bad fds\n");
   f = dup2(-2, -2);
   printf("f: %d\n", f == -1);
   printf("errno: %d\n", errno);
   printf("close(f): %d\n", close(f));
   printf("\n");
   errno = 0;
 
+  printf("DUP2 bad newfd\n");
+  f = open("/", O_RDONLY);
+  f3 = dup2(f, -1);
+  printf("f3: %d\n", f3);
+  printf("errno: %d\n", errno);
+  f3 = dup2(f, 256000);
+  printf("f3: %d\n", f3);
+  printf("errno: %d\n", errno);
+  printf("close(f1): %d\n", close(f));
+  printf("\n");
+  errno = 0;
+
   printf("DUP2 pipe\n");
   int p[2];
   pipe(p);

test/unistd/dup.out

@@ -14,11 +14,18 @@ close(f1): 0
 close(f2): 0
 close(f3): -1
 
-DUP2 err
+DUP2 bad fds
 f: 1
 errno: 8
 close(f): -1
 
+DUP2 bad newfd
+f3: -1
+errno: 8
+f3: -1
+errno: 8
+close(f1): 0
+
 DUP2 pipe
 buf: abc