details: https://hg.nginx.org/njs/rev/895f4887702d
branches:
changeset: 963:895f4887702d
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Tue May 14 19:13:53 2019 +0300
description:
Fixed heap-buffer-overflow in String.prototype.lastIndexOf().

This closes #151 issue on Github.

diffstat:

njs/njs_string.c | 9 +++++++--
njs/test/njs_unit_test.c | 10 ++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)

diffs (39 lines):

diff -r 1cce73676665 -r 895f4887702d njs/njs_string.c
--- a/njs/njs_string.c Tue May 14 19:00:03 2019 +0300
+++ b/njs/njs_string.c Tue May 14 19:13:53 2019 +0300
@@ -1831,8 +1831,13 @@ njs_string_prototype_last_index_of(njs_v
}
}

- if (index > length) {
- index = length;
+ if (search_length == 0) {
+ index = nxt_min(index, length);
+ goto done;
+ }
+
+ if (index >= length) {
+ index = length - 1;
}

if (string.size == (size_t) length) {
diff -r 1cce73676665 -r 895f4887702d njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Tue May 14 19:00:03 2019 +0300
+++ b/njs/test/njs_unit_test.c Tue May 14 19:13:53 2019 +0300
@@ -5172,6 +5172,16 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("''.lastIndexOf(undefined)"),
nxt_string("-1") },

+ { nxt_string("'β'.repeat(32).lastIndexOf('β')"),
+ nxt_string("31") },
+
+ { nxt_string("'β'.repeat(32).lastIndexOf``"),
+ nxt_string("32") },
+
+ { nxt_string("JSON.stringify(Array(24).fill(true).map((v,i) => 'abc abc ab abc абвгдежзab'.lastIndexOf('abc', i)))"
+ "== JSON.stringify([].concat(Array(4).fill(0), Array(7).fill(4), Array(13).fill(11)))"),
+ nxt_string("true") },
+
{ nxt_string("''.includes('')"),
nxt_string("true") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel