Welcome! Log In Create A New Profile

Advanced

[njs] Fixed information leak in Buffer.from().

Previous Message Next Message
Forum List Message List New Topic Print View
Dmitry Volyntsev
December 27, 2021 11:08AM
details: https://hg.nginx.org/njs/rev/752d3d8ab217
branches:
changeset: 1789:752d3d8ab217
user: Artem S. Povalyukhin <artem.povaluhin@gmail.com>
date: Sat Dec 25 22:45:30 2021 +0300
description:
Fixed information leak in Buffer.from().

This closes #446 on Github.

diffstat:

src/njs_buffer.c | 23 +++--------------------
src/test/njs_unit_test.c | 8 ++++++++
2 files changed, 11 insertions(+), 20 deletions(-)

diffs (65 lines):

diff -r 2e544ef59092 -r 752d3d8ab217 src/njs_buffer.c
--- a/src/njs_buffer.c Sat Dec 25 22:45:30 2021 +0300
+++ b/src/njs_buffer.c Sat Dec 25 22:45:30 2021 +0300
@@ -339,8 +339,7 @@ njs_buffer_from_object(njs_vm_t *vm, njs
uint32_t i;
njs_str_t str;
njs_int_t ret;
- njs_array_t *array;
- njs_value_t retval, length;
+ njs_value_t data, retval, length;
njs_typed_array_t *buffer;

static const njs_value_t string_length = njs_string("length");
@@ -379,7 +378,8 @@ next:
}

if (njs_is_object(&retval)) {
- value = &retval;
+ njs_value_assign(&data, &retval);
+ value = &data;
goto next;
}

@@ -398,23 +398,6 @@ next:

p = njs_typed_array_buffer(buffer)->u.u8;

- if (njs_is_fast_array(value)) {
- array = njs_array(value);
-
- for (i = 0; i < array->length; i++) {
- ret = njs_value_to_number(vm, &array->start[i], &num);
- if (njs_slow_path(ret != NJS_OK)) {
- return ret;
- }
-
- *p++ = njs_number_to_int32(num);
- }
-
- njs_set_typed_array(&vm->retval, buffer);
-
- return NJS_OK;
- }
-
for (i = 0; i < len; i++) {
ret = njs_value_property_i64(vm, value, i, &retval);
if (njs_slow_path(ret == NJS_ERROR)) {
diff -r 2e544ef59092 -r 752d3d8ab217 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Sat Dec 25 22:45:30 2021 +0300
+++ b/src/test/njs_unit_test.c Sat Dec 25 22:45:30 2021 +0300
@@ -19926,6 +19926,14 @@ static njs_unit_test_t njs_buffer_modul
{ njs_str("Buffer.from({ type: 'Buffer', get data() { throw new Error('test'); } })"),
njs_str("Error: test") },

+ { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 3; return 1; } };"
+ "njs.dump(Buffer.from(a))"),
+ njs_str("Buffer [1,1,3,0]") },
+
+ { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 4096; a.fill(13); return 1; } };"
+ "njs.dump(Buffer.from(a))"),
+ njs_str("Buffer [1,1,13,13]") },
+
{ njs_str("["
" ['6576696c', 'hex'],"
" ['ZXZpbA==', 'base64'],"
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[njs] Fixed information leak in Buffer.from().

Dmitry Volyntsev 428 December 27, 2021 11:08AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 288
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready