Welcome! Log In Create A New Profile

Advanced

[njs] Fixed allocation of large array literals.

Dmitry Volyntsev
February 21, 2022 12:02PM
details: https://hg.nginx.org/njs/rev/805c1c96a2d2
branches:
changeset: 1831:805c1c96a2d2
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon Feb 21 16:53:16 2022 +0000
description:
Fixed allocation of large array literals.

Previously, allocation of large array literals may result in
null-pointer dereference. The reason is that njs_array_alloc() may
return a slow array when size is large enough, but the instruction
code assumes that array is always flat.

The fix is to check fast_array flag before accessing array->start.

This closes #473 issue on Github.

diffstat:

src/njs_vmcode.c | 18 ++++++++++--------
src/test/njs_unit_test.c | 4 ++++
2 files changed, 14 insertions(+), 8 deletions(-)

diffs (42 lines):

diff -r eb8689f0a850 -r 805c1c96a2d2 src/njs_vmcode.c
--- a/src/njs_vmcode.c Mon Feb 21 16:52:59 2022 +0000
+++ b/src/njs_vmcode.c Mon Feb 21 16:53:16 2022 +0000
@@ -1055,14 +1055,16 @@ njs_vmcode_array(njs_vm_t *vm, u_char *p

if (code->ctor) {
/* Array of the form [,,,], [1,,]. */
- value = array->start;
- length = array->length;
-
- do {
- njs_set_invalid(value);
- value++;
- length--;
- } while (length != 0);
+ if (array->object.fast_array) {
+ value = array->start;
+ length = array->length;
+
+ do {
+ njs_set_invalid(value);
+ value++;
+ length--;
+ } while (length != 0);
+ }

} else {
/* Array of the form [], [,,1], [1,2,3]. */
diff -r eb8689f0a850 -r 805c1c96a2d2 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Mon Feb 21 16:52:59 2022 +0000
+++ b/src/test/njs_unit_test.c Mon Feb 21 16:53:16 2022 +0000
@@ -13154,6 +13154,10 @@ static njs_unit_test_t njs_test[] =
{ njs_str("(new Function('return 5' + '** 1'.repeat(2**13)))()"),
njs_str("5") },

+ { njs_str("var a = (new Function('return [' + ','.repeat(2**16) + ']'))();"
+ "njs.dump(a)"),
+ njs_str("[<65536 empty items>]") },
+
{ njs_str("(new Function('var a = 7; return a' + '= a'.repeat(2**13)))()"),
njs_str("7") },

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[njs] Fixed allocation of large array literals.

Dmitry Volyntsev 503 February 21, 2022 12:02PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 96
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready