Welcome! Log In Create A New Profile

Advanced

[njs] Fixed njs_array_convert_to_slow_array().

Dmitry Volyntsev
June 11, 2022 03:18AM
details: https://hg.nginx.org/njs/rev/c6522ba4bd53
branches:
changeset: 1888:c6522ba4bd53
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Sat Jun 11 00:15:49 2022 -0700
description:
Fixed njs_array_convert_to_slow_array().

Previously, the function might free invalid pointer, as array->start is
not always points to the beginning of allocated memory block.

This closes #540 issue on Github.

diffstat:

src/njs_array.c | 2 +-
src/test/njs_unit_test.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletions(-)

diffs (28 lines):

diff -r 77758def397a -r c6522ba4bd53 src/njs_array.c
--- a/src/njs_array.c Sat Jun 11 00:15:30 2022 -0700
+++ b/src/njs_array.c Sat Jun 11 00:15:49 2022 -0700
@@ -165,7 +165,7 @@ njs_array_convert_to_slow_array(njs_vm_t

/* GC: release value. */

- njs_mp_free(vm->mem_pool, array->start);
+ njs_mp_free(vm->mem_pool, array->data);
array->start = NULL;

return NJS_OK;
diff -r 77758def397a -r c6522ba4bd53 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Sat Jun 11 00:15:30 2022 -0700
+++ b/src/test/njs_unit_test.c Sat Jun 11 00:15:49 2022 -0700
@@ -4743,6 +4743,12 @@ static njs_unit_test_t njs_test[] =
"a.shift(); a"),
njs_str("2,3") },

+ { njs_str("var arr = [1,2];"
+ "arr.shift();"
+ "arr[2**20] = 3;"
+ "arr[2**20]"),
+ njs_str("3") },
+
{ njs_str("var a = []; a.splice()"),
njs_str("") },

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[njs] Fixed njs_array_convert_to_slow_array().

Dmitry Volyntsev 190 June 11, 2022 03:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 46
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready