[njs] String.prototype.repeat() did not check the count parameter

[Igor Sysoev]

details:   http://hg.nginx.org/njs/rev/e16086a85f0b
branches:  
changeset: 235:e16086a85f0b
user:      Igor Sysoev <igor at sysoev.ru>
date:      Fri Nov 04 16:22:56 2016 +0300
description:
String.prototype.repeat() did not check the count parameter
for single character strings.  The count parameter should be
checked also for empty string.

In collaboration with Andrey Zelenkov and Valentin Bartenev.

diffstat:

 njs/njs_string.c         |  22 ++++++++++++----------
 njs/test/njs_unit_test.c |  31 +++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 10 deletions(-)

diffs (78 lines):

diff -r ff8f717db1be -r e16086a85f0b njs/njs_string.c
--- a/njs/njs_string.c	Thu Nov 03 18:12:10 2016 +0300
+++ b/njs/njs_string.c	Fri Nov 04 16:22:56 2016 +0300
@@ -1756,21 +1756,23 @@ njs_string_prototype_repeat(njs_vm_t *vm
 
     (void) njs_string_prop(&string, &args[0]);
 
+    if (nargs > 1) {
+        max = (string.size > 1) ? NJS_STRING_MAX_LENGTH / string.size
+                                : NJS_STRING_MAX_LENGTH;
+
+        n = args[1].data.u.number;
+
+        if (nxt_slow_path(n < 0 || n >= max)) {
+            vm->exception = &njs_exception_range_error;
+            return NXT_ERROR;
+        }
+    }
+
     if (string.size == 0) {
         vm->retval = njs_string_empty;
         return NXT_OK;
     }
 
-    if (nargs > 1) {
-        max = NJS_STRING_MAX_LENGTH / string.size;
-        n = args[1].data.u.number;
-
-        if (nxt_slow_path(n < 0 || n > max)) {
-            vm->exception = &njs_exception_range_error;
-            return NXT_ERROR;
-        }
-    }
-
     size = string.size * n;
     length = string.length * n;
 
diff -r ff8f717db1be -r e16086a85f0b njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Thu Nov 03 18:12:10 2016 +0300
+++ b/njs/test/njs_unit_test.c	Fri Nov 04 16:22:56 2016 +0300
@@ -3633,6 +3633,37 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("'abc'.repeat(-1)"),
       nxt_string("RangeError") },
 
+    { nxt_string("''.repeat(-1)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("'a'.repeat(2147483647)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("'a'.repeat(2147483648)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("'a'.repeat(Infinity)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("'a'.repeat(NaN)"),
+      nxt_string("") },
+
+    { nxt_string("''.repeat(2147483646)"),
+      nxt_string("") },
+
+    /* ES6: "". */
+    { nxt_string("''.repeat(2147483647)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("''.repeat(2147483648)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("''.repeat(Infinity)"),
+      nxt_string("RangeError") },
+
+    { nxt_string("''.repeat(NaN)"),
+      nxt_string("") },
+
     { nxt_string("encodeURI()"),
       nxt_string("undefined")},