Welcome! Log In Create A New Profile

Advanced

[njs] Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Anonymous User
October 10, 2024 12:44PM
details: https://github.com/nginx/njs/commit/6c8084b666cfe5db5d9401e7dff7981b5b2eb100
branches: master
commit: 6c8084b666cfe5db5d9401e7dff7981b5b2eb100
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Wed, 9 Oct 2024 17:32:11 -0700
description:
Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Previously, when `from` argument was provided heap-buffer-overflow might
happen due to lack of boundary check. `to = njs_min(to, length)`
statement was also removed because it has no effect, `to` is
equal to `length` here.

The issue was introduced in 5d15a8d6 (0.8.5).

This closes #794 issue on Github.

---
src/njs_buffer.c | 5 ++++-
src/qjs_buffer.c | 7 ++++++-
test/buffer.t.js | 1 +
3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/njs_buffer.c b/src/njs_buffer.c
index 07054bf0..0bd5b896 100644
--- a/src/njs_buffer.c
+++ b/src/njs_buffer.c
@@ -2228,7 +2228,10 @@ encoding:

} else {
to -= str.length - 1;
- to = njs_min(to, length);
+
+ if (from > to) {
+ goto done;
+ }
}

for (i = from; i != to; i += increment) {
diff --git a/src/qjs_buffer.c b/src/qjs_buffer.c
index 2487c633..5def5e63 100644
--- a/src/qjs_buffer.c
+++ b/src/qjs_buffer.c
@@ -1098,7 +1098,10 @@ encoding:

} else {
to -= str.length - 1;
- to = njs_min(to, length);
+
+ if (from > to) {
+ goto done;
+ }
}

for (i = from; i != to; i += increment) {
@@ -1108,6 +1111,8 @@ encoding:
}
}

+done:
+
JS_FreeValue(ctx, buffer);
return JS_NewInt32(ctx, -1);
}
diff --git a/test/buffer.t.js b/test/buffer.t.js
index 55227b3a..f47c62f7 100644
--- a/test/buffer.t.js
+++ b/test/buffer.t.js
@@ -473,6 +473,7 @@ let indexOf_tsuite = {
{ buf: Buffer.from('abcdef'), value: 'abc', offset: 1, expected: -1 },
{ buf: Buffer.from('abcdef'), value: 'def', offset: 1, expected: 3 },
{ buf: Buffer.from('abcdef'), value: 'def', offset: -3, expected: 3 },
+ { buf: Buffer.from('abcdef'), value: 'efgh', offset: 4, expected: -1 },
{ buf: Buffer.from('abcdef'), value: '626364', encoding: 'hex', expected: 1 },
{ buf: Buffer.from('abcdef'), value: '626364', encoding: 'utf-128',
exception: 'TypeError: "utf-128" encoding is not supported' },
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Anonymous User 203 October 10, 2024 12:44PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 252
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready