details: https://hg.nginx.org/njs/rev/b02b79e30d4a branches: changeset: 1198:b02b79e30d4a user: Alexander Borisov <alexander.bori...@nginx.com> date: Thu Oct 24 16:15:01 2019 +0300 description: Fixed heap-buffer-overflow in njs_array_reverse_iterator() function.
Affected JS functions in Array.prototype: lastIndexOf, reduceRight. diffstat: src/njs_array.c | 3 ++- src/test/njs_unit_test.c | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletions(-) diffs (46 lines): diff -r 9e327cd3a33e -r b02b79e30d4a src/njs_array.c --- a/src/njs_array.c Wed Oct 23 14:42:38 2019 +0300 +++ b/src/njs_array.c Thu Oct 24 16:15:01 2019 +0300 @@ -1594,7 +1594,8 @@ njs_array_reverse_iterator(njs_vm_t *vm, } else { /* UTF-8 string. */ - p = njs_string_offset(string_prop.start, end, from + 1); + p = njs_string_offset(string_prop.start, end, from); + p = njs_utf8_next(p, end); i = from + 1; diff -r 9e327cd3a33e -r b02b79e30d4a src/test/njs_unit_test.c --- a/src/test/njs_unit_test.c Wed Oct 23 14:42:38 2019 +0300 +++ b/src/test/njs_unit_test.c Thu Oct 24 16:15:01 2019 +0300 @@ -4407,6 +4407,17 @@ static njs_unit_test_t njs_test[] = "Array.prototype.lastIndexOf.call(o); i"), njs_str("1") }, + { njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"), + njs_str("-1") }, + + { njs_str("var o = 'ГВБА';" + "Array.prototype.lastIndexOf.call(o, 'Г', 0)"), + njs_str("0") }, + + { njs_str("var o = 'ГВБА';" + "Array.prototype.lastIndexOf.call(o, 'Г', 4)"), + njs_str("0") }, + { njs_str("[1,2,3,4].includes()"), njs_str("false") }, @@ -5029,6 +5040,11 @@ static njs_unit_test_t njs_test[] = "catch (e) {i += '; ' + e} i"), njs_str("1; TypeError: unexpected iterator arguments") }, + { njs_str("var m = [];" + "[''].reduceRight.call('00000000000000000000000000000а00', (p, v, i, a) => {m.push(v)});" + "m.join('')"), + njs_str("0а00000000000000000000000000000") }, + { njs_str("var a = ['1','2','3','4','5','6']; a.sort()"), njs_str("1,2,3,4,5,6") }, _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel