Welcome! Log In Create A New Profile

Advanced

[njs] Fixed potential integer-overflow in String.prototype.replace().

Dmitry Volyntsev
February 17, 2020 09:04AM
details: https://hg.nginx.org/njs/rev/d2877d602d39
branches:
changeset: 1329:d2877d602d39
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon Feb 17 16:18:40 2020 +0300
description:
Fixed potential integer-overflow in String.prototype.replace().

diffstat:

src/njs_string.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diffs (20 lines):

diff -r db3a66bd71c1 -r d2877d602d39 src/njs_string.c
--- a/src/njs_string.c Mon Feb 17 16:18:38 2020 +0300
+++ b/src/njs_string.c Mon Feb 17 16:18:40 2020 +0300
@@ -3672,10 +3672,16 @@ njs_string_replace_regexp_function(njs_v
njs_value_t *arguments;
njs_string_prop_t string;

+ if (njs_slow_path((n + 3) >= UINT32_MAX / sizeof(njs_value_t))) {
+ njs_memory_error(vm);
+ return NJS_ERROR;
+ }
+
njs_set_invalid(&r->retval);

arguments = njs_mp_alloc(vm->mem_pool, (n + 3) * sizeof(njs_value_t));
if (njs_slow_path(arguments == NULL)) {
+ njs_memory_error(vm);
return NJS_ERROR;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed potential integer-overflow in String.prototype.replace().

Dmitry Volyntsev 72 February 17, 2020 09:04AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 100
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready