details: https://hg.nginx.org/njs/rev/8f87e3ef4a4d branches: changeset: 913:8f87e3ef4a4d user: Alexander Borisov <alexander.bori...@nginx.com> date: Fri Apr 19 17:24:29 2019 +0300 description: Fixed overflow in Array.prototype.concat().
This closes #131 issue on GitHub. diffstat: njs/njs_array.c | 2 +- njs/test/njs_unit_test.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletions(-) diffs (30 lines): diff -r 434c654ef638 -r 8f87e3ef4a4d njs/njs_array.c --- a/njs/njs_array.c Fri Apr 19 17:48:39 2019 +0300 +++ b/njs/njs_array.c Fri Apr 19 17:24:29 2019 +0300 @@ -1125,7 +1125,7 @@ static njs_ret_t njs_array_prototype_concat(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { - size_t length; + uint64_t length; nxt_uint_t i; njs_value_t *value; njs_array_t *array; diff -r 434c654ef638 -r 8f87e3ef4a4d njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Fri Apr 19 17:48:39 2019 +0300 +++ b/njs/test/njs_unit_test.c Fri Apr 19 17:24:29 2019 +0300 @@ -7956,6 +7956,14 @@ static njs_unit_test_t njs_test[] = { nxt_string("var x = Array(2**28)"), nxt_string("MemoryError") }, + { nxt_string("var r; try {" + " var x = Array(2**27), y = Array(2**5).fill(x);" + " Array.prototype.concat.apply(y[0], y.slice(1));" + "} catch (e) {" + " r = e.name == 'InternalError' || e.name == 'RangeError'" + "} r"), + nxt_string("true") }, + { nxt_string("var a = new Array(3); a"), nxt_string(",,") }, _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel