details: https://hg.nginx.org/njs/rev/c4522b3d3ff0
branches:
changeset: 795:c4522b3d3ff0
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Fri Feb 22 20:33:31 2019 +0300
description:
Fixed heap-buffer-overflow in String.prototype.split().

diffstat:

njs/njs_string.c | 11 ++++++++---
njs/test/njs_unit_test.c | 3 +++
2 files changed, 11 insertions(+), 3 deletions(-)

diffs (47 lines):

diff -r c0e7041165c0 -r c4522b3d3ff0 njs/njs_string.c
--- a/njs/njs_string.c Thu Feb 21 20:47:52 2019 +0300
+++ b/njs/njs_string.c Fri Feb 22 20:33:31 2019 +0300
@@ -2726,7 +2726,7 @@ njs_string_prototype_split(njs_vm_t *vm,
uint32_t limit;
njs_utf8_t utf8;
njs_array_t *array;
- const u_char *p, *start, *next, *end;
+ const u_char *p, *start, *next, *last, *end;
njs_regexp_utf8_t type;
njs_string_prop_t string, split;
njs_regexp_pattern_t *pattern;
@@ -2778,14 +2778,19 @@ njs_string_prototype_split(njs_vm_t *vm,

start = string.start;
end = string.start + string.size;
+ last = end - split.size;

do {
- for (p = start; p < end; p++) {
+ for (p = start; p <= last; p++) {
if (memcmp(p, split.start, split.size) == 0) {
- break;
+ goto found;
}
}

+ p = end;
+
+found:
+
next = p + split.size;

/* Empty split string. */
diff -r c0e7041165c0 -r c4522b3d3ff0 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Thu Feb 21 20:47:52 2019 +0300
+++ b/njs/test/njs_unit_test.c Fri Feb 22 20:33:31 2019 +0300
@@ -5096,6 +5096,9 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("'囲α碁α織'.split('α')"),
nxt_string("囲,碁,織") },

+ { nxt_string("'a'.repeat(16).split('a'.repeat(15))"),
+ nxt_string(",a") },
+
{ nxt_string("('α'+'β'.repeat(33)).repeat(2).split('α')[1][32]"),
nxt_string("β") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel