details: https://hg.nginx.org/njs/rev/5f4adb155dcf
branches:
changeset: 1368:5f4adb155dcf
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Fri Apr 10 11:15:12 2020 +0000
description:
Fixed potential heap-buffer-overflow in njs_vm_value().

The issue was introduced in 7ccb8b32cc02.

diffstat:

src/njs_vm.c | 2 +-
src/test/njs_unit_test.c | 14 ++++++++++++--
2 files changed, 13 insertions(+), 3 deletions(-)

diffs (43 lines):

diff -r 7ccb8b32cc02 -r 5f4adb155dcf src/njs_vm.c
--- a/src/njs_vm.c Wed Apr 08 13:15:02 2020 +0000
+++ b/src/njs_vm.c Fri Apr 10 11:15:12 2020 +0000
@@ -593,7 +593,7 @@ njs_vm_value(njs_vm_t *vm, const njs_str
njs_set_object(&value, &vm->global_object);

for ( ;; ) {
- p = njs_strchr(start, '.');
+ p = njs_strlchr(start, end, '.');

size = ((p != NULL) ? p : end) - start;
if (njs_slow_path(size == 0)) {
diff -r 7ccb8b32cc02 -r 5f4adb155dcf src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Wed Apr 08 13:15:02 2020 +0000
+++ b/src/test/njs_unit_test.c Fri Apr 10 11:15:12 2020 +0000
@@ -17472,7 +17472,7 @@ njs_vm_value_test(njs_opts_t *opts, njs_
{
njs_vm_t *vm;
njs_int_t ret;
- njs_str_t s, *script;
+ njs_str_t s, *script, path;
njs_uint_t i;
njs_bool_t success;
njs_stat_t prev;
@@ -17564,7 +17564,17 @@ njs_vm_value_test(njs_opts_t *opts, njs_
goto done;
}

- ret = njs_vm_value(vm, &tests[i].path, &vm->retval);
+ path = tests[i].path;
+
+ path.start = njs_mp_alloc(vm->mem_pool, path.length);
+ if (path.start == NULL) {
+ njs_printf("njs_mp_alloc() failed\n");
+ goto done;
+ }
+
+ memcpy(path.start, tests[i].path.start, path.length);
+
+ ret = njs_vm_value(vm, &path, &vm->retval);

if (njs_vm_retval_string(vm, &s) != NJS_OK) {
njs_printf("njs_vm_retval_string() failed\n");
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel