Welcome! Log In Create A New Profile

[njs] Fixed heap-buffer-overflow in toUpperCase() and toLowerCase().

Forum List Message List New Topic Print View

Dmitry Volyntsev

May 30, 2019 10:16AM

details: https://hg.nginx.org/njs/rev/cc9a99f09b51
branches:
changeset: 995:cc9a99f09b51
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Thu May 30 16:46:26 2019 +0300
description:
Fixed heap-buffer-overflow in toUpperCase() and toLowerCase().

In String.prototype. This closes #162 issue on Github.

diffstat:

njs/njs_string.c | 18 ++++++++++--------
njs/test/njs_unit_test.c | 8 ++++----
2 files changed, 14 insertions(+), 12 deletions(-)

diffs (76 lines):

diff -r b6ecd0086ed3 -r cc9a99f09b51 njs/njs_string.c
--- a/njs/njs_string.c Thu May 30 16:16:22 2019 +0300
+++ b/njs/njs_string.c Thu May 30 16:46:26 2019 +0300
@@ -2171,7 +2171,7 @@ static njs_ret_t
njs_string_prototype_to_lower_case(njs_vm_t *vm, njs_value_t *args,
nxt_uint_t nargs, njs_index_t unused)
{
- size_t size;
+ size_t size, length;
u_char *p, *start;
const u_char *s, *end;
njs_string_prop_t string;
@@ -2198,10 +2198,11 @@ njs_string_prototype_to_lower_case(njs_v
} else {
/* UTF-8 string. */
end = s + size;
-
- while (size != 0) {
+ length = string.length;
+
+ while (length != 0) {
p = nxt_utf8_encode(p, nxt_utf8_lower_case(&s, end));
- size--;
+ length--;
}
}

@@ -2219,7 +2220,7 @@ static njs_ret_t
njs_string_prototype_to_upper_case(njs_vm_t *vm, njs_value_t *args,
nxt_uint_t nargs, njs_index_t unused)
{
- size_t size;
+ size_t size, length;
u_char *p, *start;
const u_char *s, *end;
njs_string_prop_t string;
@@ -2246,10 +2247,11 @@ njs_string_prototype_to_upper_case(njs_v
} else {
/* UTF-8 string. */
end = s + size;
-
- while (size != 0) {
+ length = string.length;
+
+ while (length != 0) {
p = nxt_utf8_encode(p, nxt_utf8_upper_case(&s, end));
- size--;
+ length--;
}
}

diff -r b6ecd0086ed3 -r cc9a99f09b51 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Thu May 30 16:16:22 2019 +0300
+++ b/njs/test/njs_unit_test.c Thu May 30 16:46:26 2019 +0300
@@ -5277,8 +5277,8 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("'абв абв абвгдежз'.endsWith('абвгд', 14)"),
nxt_string("false") },

- { nxt_string("'ABC'.toLowerCase()"),
- nxt_string("abc") },
+ { nxt_string("'\x00АБВГДЕЁЖЗ'.toLowerCase().length"),
+ nxt_string("10") },

{ nxt_string("'ΑΒΓ'.toLowerCase()"),
nxt_string("αβγ") },
@@ -5292,8 +5292,8 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("'αβγ'.toUpperCase()"),
nxt_string("ΑΒΓ") },

- { nxt_string("'абв'.toUpperCase()"),
- nxt_string("АБВ") },
+ { nxt_string("'\x00абвгдеёжз'.toUpperCase().length"),
+ nxt_string("10") },

{ nxt_string("var a = [], code;"
"for (code = 0; code <= 1114111; code++) {"
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[njs] Fixed heap-buffer-overflow in toUpperCase() and toLowerCase().	Dmitry Volyntsev	338	May 30, 2019 10:16AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 196

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018