details: https://hg.nginx.org/njs/rev/5a27272949d8
branches:
changeset: 823:5a27272949d8
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Sun Mar 10 21:13:26 2019 +0300
description:
Fixed heap-buffer-overflow in lexer.

The issue was introduced in 8e2cb4da5e46.

diffstat:

njs/njs_lexer.c | 19 ++-----------------
njs/test/njs_unit_test.c | 3 +++
2 files changed, 5 insertions(+), 17 deletions(-)

diffs (51 lines):

diff -r 4e82cb630c69 -r 5a27272949d8 njs/njs_lexer.c
--- a/njs/njs_lexer.c Sun Mar 10 22:25:59 2019 +0800
+++ b/njs/njs_lexer.c Sun Mar 10 21:13:26 2019 +0300
@@ -371,7 +371,7 @@ njs_lexer_token_push(njs_vm_t *vm, njs_l
{
njs_lexer_token_t *lt;

- lt = nxt_mp_alloc(vm->mem_pool, sizeof(njs_lexer_token_t));
+ lt = nxt_mp_zalloc(vm->mem_pool, sizeof(njs_lexer_token_t));
if (nxt_slow_path(lt == NULL)) {
return NULL;
}
@@ -542,24 +542,9 @@ njs_lexer_next_token(njs_lexer_t *lexer,

/* Fall through. */

- case NJS_TOKEN_BITWISE_NOT:
- case NJS_TOKEN_OPEN_PARENTHESIS:
- case NJS_TOKEN_CLOSE_PARENTHESIS:
- case NJS_TOKEN_OPEN_BRACKET:
- case NJS_TOKEN_CLOSE_BRACKET:
- case NJS_TOKEN_OPEN_BRACE:
- case NJS_TOKEN_CLOSE_BRACE:
- case NJS_TOKEN_COMMA:
- case NJS_TOKEN_COLON:
- case NJS_TOKEN_SEMICOLON:
- case NJS_TOKEN_CONDITIONAL:
+ default:
lt->text.length = lexer->start - lt->text.start;
return token;
-
- case NJS_TOKEN_ILLEGAL:
- default:
- lexer->start--;
- return token;
}

multi:
diff -r 4e82cb630c69 -r 5a27272949d8 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Sun Mar 10 22:25:59 2019 +0800
+++ b/njs/test/njs_unit_test.c Sun Mar 10 21:13:26 2019 +0300
@@ -22,6 +22,9 @@ typedef struct {

static njs_unit_test_t njs_test[] =
{
+ { nxt_string("@"),
+ nxt_string("SyntaxError: Unexpected token \"@\" in 1") },
+
{ nxt_string("}"),
nxt_string("SyntaxError: Unexpected token \"}\" in 1") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel