details: https://hg.nginx.org/njs/rev/1023383de2d6
branches:
changeset: 1286:1023383de2d6
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon Dec 16 15:18:51 2019 +0300
description:
Fixed stack-use-after-free in njs_value_property_set().

diffstat:

src/njs_object.h | 9 +++------
src/test/njs_unit_test.c | 8 ++++++++
2 files changed, 11 insertions(+), 6 deletions(-)

diffs (43 lines):

diff -r a0adc224673d -r 1023383de2d6 src/njs_object.h
--- a/src/njs_object.h Mon Dec 16 15:18:51 2019 +0300
+++ b/src/njs_object.h Mon Dec 16 15:18:51 2019 +0300
@@ -204,18 +204,15 @@ njs_value_to_key(njs_vm_t *vm, njs_value


njs_inline njs_int_t
-njs_key_string_get(njs_vm_t *vm, const njs_value_t *key, njs_str_t *str)
+njs_key_string_get(njs_vm_t *vm, njs_value_t *key, njs_str_t *str)
{
- njs_int_t ret;
- njs_value_t dst;
+ njs_int_t ret;

if (njs_slow_path(njs_is_symbol(key))) {
- ret = njs_symbol_to_string(vm, &dst, key);
+ ret = njs_symbol_to_string(vm, key, key);
if (njs_slow_path(ret != NJS_OK)) {
return ret;
}
-
- key = &dst;
}

njs_string_get(key, str);
diff -r a0adc224673d -r 1023383de2d6 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Mon Dec 16 15:18:51 2019 +0300
+++ b/src/test/njs_unit_test.c Mon Dec 16 15:18:51 2019 +0300
@@ -10475,6 +10475,14 @@ static njs_unit_test_t njs_test[] =
"while(n--) o[Symbol()] = 'test'; o[''];"),
njs_str("undefined") },

+ { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); "
+ "obj[symA] = 2"),
+ njs_str("TypeError: Cannot assign to read-only property \"Symbol(A)\" of object") },
+
+ { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); "
+ "delete obj[symA]"),
+ njs_str("TypeError: Cannot delete property \"Symbol(A)\" of object") },
+
{ njs_str("["
" Object.prototype,"
" Symbol.prototype,"
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel