details: https://hg.nginx.org/njs/rev/6babef232e87
branches:
changeset: 961:6babef232e87
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon May 13 20:28:40 2019 +0300
description:
Fixed heap-buffer-overflow in String.prototype.replace().

This closes #154 issue on GitHub.

diffstat:

njs/njs_string.c | 5 ++---
njs/test/njs_unit_test.c | 3 +++
2 files changed, 5 insertions(+), 3 deletions(-)

diffs (35 lines):

diff -r 8fe38b9f8a94 -r 6babef232e87 njs/njs_string.c
--- a/njs/njs_string.c Wed May 08 19:09:10 2019 +0300
+++ b/njs/njs_string.c Mon May 13 20:28:40 2019 +0300
@@ -3239,7 +3239,7 @@ njs_string_replace_search(njs_vm_t *vm,
p = r->part[0].start;
end = (p + r->part[0].size) - (search.length - 1);

- do {
+ while (p < end) {
if (memcmp(p, search.start, search.length) == 0) {

if (r->substitutions != NULL) {
@@ -3272,8 +3272,7 @@ njs_string_replace_search(njs_vm_t *vm,
} else {
p = (u_char *) nxt_utf8_next(p, end);
}
-
- } while (p < end);
+ }

njs_string_copy(&vm->retval, &args[0]);

diff -r 8fe38b9f8a94 -r 6babef232e87 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Wed May 08 19:09:10 2019 +0300
+++ b/njs/test/njs_unit_test.c Mon May 13 20:28:40 2019 +0300
@@ -5336,6 +5336,9 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("'abcdefgh'.replace('d', undefined)"),
nxt_string("abcundefinedefgh") },

+ { nxt_string("'a'.repeat(16).replace('a'.repeat(17)) === 'a'.repeat(16)"),
+ nxt_string("true") },
+
{ nxt_string("'abcdefgh'.replace('d', null)"),
nxt_string("abcnullefgh") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel