Welcome! Log In Create A New Profile

[njs] Fixed size uint32_t overflow in njs_array_expand().

Forum List Message List New Topic Print View

Dmitry Volyntsev

November 22, 2018 09:40AM

details: https://hg.nginx.org/njs/rev/3b2689be3a57
branches:
changeset: 664:3b2689be3a57
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Thu Nov 22 17:38:25 2018 +0300
description:
Fixed size uint32_t overflow in njs_array_expand().

diffstat:

njs/njs_array.c | 21 ++++++++++++++++-----
njs/test/njs_unit_test.c | 6 ++++++
nxt/nxt_mem_cache_pool.c | 3 ++-
3 files changed, 24 insertions(+), 6 deletions(-)

diffs (108 lines):

diff -r 987f7998a967 -r 3b2689be3a57 njs/njs_array.c
--- a/njs/njs_array.c Thu Nov 22 15:35:25 2018 +0300
+++ b/njs/njs_array.c Thu Nov 22 17:38:25 2018 +0300
@@ -6,6 +6,7 @@

#include <njs_core.h>
#include <string.h>
+#include <stdint.h>

typedef struct {
@@ -136,7 +137,7 @@ njs_array_alloc(njs_vm_t *vm, uint32_t l

size = (uint64_t) length + spare;

- if (nxt_slow_path((size * sizeof(njs_value_t)) >= 0xffffffff)) {
+ if (nxt_slow_path((size * sizeof(njs_value_t)) >= UINT32_MAX)) {
goto memory_error;
}

@@ -201,11 +202,12 @@ njs_array_string_add(njs_vm_t *vm, njs_a

njs_ret_t
njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend,
- uint32_t size)
+ uint32_t new_size)
{
+ uint64_t size;
njs_value_t *start, *old;

- size += array->length;
+ size = (uint64_t) new_size + array->length;

if (nxt_fast_path(size <= array->size && prepend == 0)) {
return NXT_OK;
@@ -218,11 +220,14 @@ njs_array_expand(njs_vm_t *vm, njs_array
size += size / 2;
}

+ if (nxt_slow_path(((prepend + size) * sizeof(njs_value_t)) >= UINT32_MAX)) {
+ goto memory_error;
+ }
+
start = nxt_mem_cache_align(vm->mem_cache_pool, sizeof(njs_value_t),
(prepend + size) * sizeof(njs_value_t));
if (nxt_slow_path(start == NULL)) {
- njs_memory_error(vm);
- return NXT_ERROR;
+ goto memory_error;
}

array->size = size;
@@ -238,6 +243,12 @@ njs_array_expand(njs_vm_t *vm, njs_array
nxt_mem_cache_free(vm->mem_cache_pool, old);

return NXT_OK;
+
+memory_error:
+
+ njs_memory_error(vm);
+
+ return NXT_ERROR;
}

diff -r 987f7998a967 -r 3b2689be3a57 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Thu Nov 22 15:35:25 2018 +0300
+++ b/njs/test/njs_unit_test.c Thu Nov 22 17:38:25 2018 +0300
@@ -2905,6 +2905,9 @@ static njs_unit_test_t njs_test[] =
nxt_string("0:0,1:1,2:2,null:null,undefined:defined,false:false,"
"true:true,Infinity:Infinity,-Infinity:-Infinity,NaN:NaN,") },

+ { nxt_string("--[][3e9]"),
+ nxt_string("MemoryError") },
+
{ nxt_string("[].length"),
nxt_string("0") },

@@ -2933,6 +2936,9 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("[].length = 2**32 - 1"),
nxt_string("MemoryError") },

+ { nxt_string("[].length = 3e9"),
+ nxt_string("MemoryError") },
+
{ nxt_string("Object.defineProperty([], 'length',{value: 2**32 - 1})"),
nxt_string("MemoryError") },

diff -r 987f7998a967 -r 3b2689be3a57 nxt/nxt_mem_cache_pool.c
--- a/nxt/nxt_mem_cache_pool.c Thu Nov 22 15:35:25 2018 +0300
+++ b/nxt/nxt_mem_cache_pool.c Thu Nov 22 17:38:25 2018 +0300
@@ -14,6 +14,7 @@
#include <nxt_rbtree.h>
#include <nxt_mem_cache_pool.h>
#include <string.h>
+#include <stdint.h>

/*
@@ -586,7 +587,7 @@ nxt_mem_cache_alloc_large(nxt_mem_cache_
nxt_mem_cache_block_t *block;

/* Allocation must be less than 4G. */
- if (nxt_slow_path(size >= 0xffffffff)) {
+ if (nxt_slow_path(size >= UINT32_MAX)) {
return NULL;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[njs] Fixed size uint32_t overflow in njs_array_expand().	Dmitry Volyntsev	292	November 22, 2018 09:40AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

hackermade

Guests: 316

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018