details: https://hg.nginx.org/njs/rev/644af379d226
branches:
changeset: 1068:644af379d226
user: Valentin Bartenev <vbart@nginx.com>
date: Thu Jul 25 20:17:42 2019 +0300
description:
Fixed one byte overread in njs_string_to_c_string().

Short strings are packed quite tight in njs_value_t, so there's
no one more byte to test.

struct {
njs_value_type_t type:8;

uint8_t size:4;
uint8_t length:4;

u_char start[14];
} short_string;

With 14 bytes string this occupies 16 bytes, which is equal
to sizeof(njs_value_t).

diffstat:

njs/njs_string.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)

diffs (15 lines):

diff -r 427edfbe6762 -r 644af379d226 njs/njs_string.c
--- a/njs/njs_string.c Tue Jul 23 19:42:25 2019 +0300
+++ b/njs/njs_string.c Thu Jul 25 20:17:42 2019 +0300
@@ -3906,10 +3906,7 @@ njs_string_to_c_string(njs_vm_t *vm, njs
start = value->short_string.start;
size = value->short_string.size;

- if (start[size] == '\0') {
- return start;
-
- } else if (size < NJS_STRING_SHORT) {
+ if (size < NJS_STRING_SHORT) {
start[size] = '\0';
return start;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel