details: https://hg.nginx.org/njs/rev/4c0de77ef946
branches:
changeset: 728:4c0de77ef946
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Wed Jan 16 18:55:16 2019 +0300
description:
Fixed heap-use-after-free introduced in 045ba10db769.

diffstat:

njs/njs_function.c | 3 ++-
njs/njs_vm.c | 5 ++++-
2 files changed, 6 insertions(+), 2 deletions(-)

diffs (48 lines):

diff -r fb2c2bca61c2 -r 4c0de77ef946 njs/njs_function.c
--- a/njs/njs_function.c Fri Jan 11 19:20:38 2019 +0800
+++ b/njs/njs_function.c Wed Jan 16 18:55:16 2019 +0300
@@ -528,7 +528,6 @@ njs_function_native_call(njs_vm_t *vm, n
frame = vm->top_frame;

vm->top_frame = njs_function_previous_frame(frame);
- njs_function_frame_free(vm, frame);

/*
* If a retval is in a callee arguments scope it
@@ -552,6 +551,8 @@ njs_function_native_call(njs_vm_t *vm, n
*value = vm->retval;
}

+ njs_function_frame_free(vm, frame);
+
return NXT_OK;
}

diff -r fb2c2bca61c2 -r 4c0de77ef946 njs/njs_vm.c
--- a/njs/njs_vm.c Fri Jan 11 19:20:38 2019 +0800
+++ b/njs/njs_vm.c Wed Jan 16 18:55:16 2019 +0300
@@ -2287,12 +2287,15 @@ const njs_vmcode_generic_t njs_continua
static njs_ret_t
njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
{
+ u_char *return_address;
njs_ret_t ret;
njs_native_frame_t *frame;
njs_continuation_t *cont;

frame = vm->top_frame;
+
cont = njs_vm_continuation(vm);
+ return_address = cont->return_address;

ret = njs_function_native_call(vm, cont->function, frame->arguments,
cont->args_types, frame->nargs,
@@ -2300,7 +2303,7 @@ njs_vmcode_continuation(njs_vm_t *vm, nj

switch (ret) {
case NXT_OK:
- vm->current = cont->return_address;
+ vm->current = return_address;
/* Fall through. */

case NJS_APPLIED:
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel