details: https://hg.nginx.org/njs/rev/251e7ab400a8
branches:
changeset: 1843:251e7ab400a8
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Wed Apr 27 16:31:00 2022 -0700
description:
Fixed Array.prototype.lastIndexOf() with unicode string as "this".

Previously, when lastIndexOf() was called with unicode string as "this"
argument and a negative "fromIndex" argument null-pointer dererence
might occur because njs_string_offset() was called with invalid index
value whereas njs_string_offset() should always be called with valid
index argument.

The fix is to verify that from index is valid.

This closes #482 issue on Github.

diffstat:

src/njs_iterator.c | 9 ++++++---
src/test/njs_unit_test.c | 3 +++
2 files changed, 9 insertions(+), 3 deletions(-)

diffs (33 lines):

diff -r f150bd2d40bb -r 251e7ab400a8 src/njs_iterator.c
--- a/src/njs_iterator.c Tue Apr 26 16:07:06 2022 -0700
+++ b/src/njs_iterator.c Wed Apr 27 16:31:00 2022 -0700
@@ -560,10 +560,13 @@ njs_object_iterate_reverse(njs_vm_t *vm,
} else {
/* UTF-8 string. */

- p = njs_string_offset(string_prop.start, end, from);
- p = njs_utf8_next(p, end);
+ p = NULL;
+ i = from + 1;

- i = from + 1;
+ if (i > to) {
+ p = njs_string_offset(string_prop.start, end, from);
+ p = njs_utf8_next(p, end);
+ }

while (i-- > to) {
pos = njs_utf8_prev(p);
diff -r f150bd2d40bb -r 251e7ab400a8 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Apr 26 16:07:06 2022 -0700
+++ b/src/test/njs_unit_test.c Wed Apr 27 16:31:00 2022 -0700
@@ -5103,6 +5103,9 @@ static njs_unit_test_t njs_test[] =
{ njs_str("Array.prototype.lastIndexOf.call({0:'undefined', length:0}, 'undefined')"),
njs_str("-1") },

+ { njs_str("[1,0,-1,-2].map(v => Array.prototype.lastIndexOf.call('Ф', 'Ф', v))"),
+ njs_str("0,0,0,-1") },
+
{ njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"),
njs_str("-1") },

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org