details: https://hg.nginx.org/njs/rev/2fdad3cbbd74
branches:
changeset: 1059:2fdad3cbbd74
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Thu Jul 18 21:12:25 2019 +0300
description:
Fixed njs_string_slice().
Previously, njs_string_slice() when slice->start == slice->string_length
may call njs_string_offset() with invalid index.
This might result in invalid memory access in njs_string_offset()
for native functions which use njs_string_slice():
String.prototype.substring()
diffstat:
njs/njs_string.c | 31 +++++++++++++++++++------------
njs/test/njs_unit_test.c | 3 +++
2 files changed, 22 insertions(+), 12 deletions(-)
diffs (55 lines):
diff -r 57cf608a29b5 -r 2fdad3cbbd74 njs/njs_string.c
--- a/njs/njs_string.c Thu Jul 18 16:18:19 2019 +0300
+++ b/njs/njs_string.c Thu Jul 18 21:12:25 2019 +0300
@@ -1351,19 +1351,26 @@ njs_string_slice_string_prop(njs_string_
} else {
/* UTF-8 string. */
end = start + string->size;
- start = njs_string_offset(start, end, slice->start);
-
- /* Evaluate size of the slice in bytes and ajdust length. */
- p = start;
- n = length;
-
- while (n != 0 && p < end) {
- p = nxt_utf8_next(p, end);
- n--;
+
+ if (slice->start < slice->string_length) {
+ start = njs_string_offset(start, end, slice->start);
+
+ /* Evaluate size of the slice in bytes and adjust length. */
+ p = start;
+ n = length;
+
+ while (n != 0 && p < end) {
+ p = nxt_utf8_next(p, end);
+ n--;
+ }
+
+ size = p - start;
+ length -= n;
+
+ } else {
+ length = 0;
+ size = 0;
}
-
- size = p - start;
- length -= n;
}
dst->start = (u_char *) start;
diff -r 57cf608a29b5 -r 2fdad3cbbd74 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Thu Jul 18 16:18:19 2019 +0300
+++ b/njs/test/njs_unit_test.c Thu Jul 18 21:12:25 2019 +0300
@@ -4825,6 +4825,9 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("'α'.repeat(32).substring(32)"),
nxt_string("") },
+ { nxt_string("'α'.repeat(32).substring(32,32)"),
+ nxt_string("") },
+
{ nxt_string("'abcdefghijklmno'.slice(NaN, 5)"),
nxt_string("abcde") },
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
