Welcome! Log In Create A New Profile

Advanced

[njs] Fixed heap-buffer-overflow in njs_array_reverse_iterator() function.

Previous Message Next Message
Forum List Message List New Topic Print View
Alexander Borisov
October 24, 2019 09:16AM
details: https://hg.nginx.org/njs/rev/b02b79e30d4a
branches:
changeset: 1198:b02b79e30d4a
user: Alexander Borisov <alexander.borisov@nginx.com>
date: Thu Oct 24 16:15:01 2019 +0300
description:
Fixed heap-buffer-overflow in njs_array_reverse_iterator() function.

Affected JS functions in Array.prototype: lastIndexOf, reduceRight.

diffstat:

src/njs_array.c | 3 ++-
src/test/njs_unit_test.c | 16 ++++++++++++++++
2 files changed, 18 insertions(+), 1 deletions(-)

diffs (46 lines):

diff -r 9e327cd3a33e -r b02b79e30d4a src/njs_array.c
--- a/src/njs_array.c Wed Oct 23 14:42:38 2019 +0300
+++ b/src/njs_array.c Thu Oct 24 16:15:01 2019 +0300
@@ -1594,7 +1594,8 @@ njs_array_reverse_iterator(njs_vm_t *vm,
} else {
/* UTF-8 string. */

- p = njs_string_offset(string_prop.start, end, from + 1);
+ p = njs_string_offset(string_prop.start, end, from);
+ p = njs_utf8_next(p, end);

i = from + 1;

diff -r 9e327cd3a33e -r b02b79e30d4a src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Wed Oct 23 14:42:38 2019 +0300
+++ b/src/test/njs_unit_test.c Thu Oct 24 16:15:01 2019 +0300
@@ -4407,6 +4407,17 @@ static njs_unit_test_t njs_test[] =
"Array.prototype.lastIndexOf.call(o); i"),
njs_str("1") },

+ { njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"),
+ njs_str("-1") },
+
+ { njs_str("var o = 'ГВБА';"
+ "Array.prototype.lastIndexOf.call(o, 'Г', 0)"),
+ njs_str("0") },
+
+ { njs_str("var o = 'ГВБА';"
+ "Array.prototype.lastIndexOf.call(o, 'Г', 4)"),
+ njs_str("0") },
+
{ njs_str("[1,2,3,4].includes()"),
njs_str("false") },

@@ -5029,6 +5040,11 @@ static njs_unit_test_t njs_test[] =
"catch (e) {i += '; ' + e} i"),
njs_str("1; TypeError: unexpected iterator arguments") },

+ { njs_str("var m = [];"
+ "[''].reduceRight.call('00000000000000000000000000000а00', (p, v, i, a) => {m.push(v)});"
+ "m.join('')"),
+ njs_str("0а00000000000000000000000000000") },
+
{ njs_str("var a = ['1','2','3','4','5','6']; a.sort()"),
njs_str("1,2,3,4,5,6") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[njs] Fixed heap-buffer-overflow in njs_array_reverse_iterator() function.

Alexander Borisov 243 October 24, 2019 09:16AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 324
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready