[njs] Fixed heap-buffer-overflow in lexer.

Dmitry Volyntsev xeioex at nginx.com
Sun Mar 10 18:20:54 UTC 2019


details:   https://hg.nginx.org/njs/rev/5a27272949d8
branches:  
changeset: 823:5a27272949d8
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Sun Mar 10 21:13:26 2019 +0300
description:
Fixed heap-buffer-overflow in lexer.

The issue was introduced in 8e2cb4da5e46.

diffstat:

 njs/njs_lexer.c          |  19 ++-----------------
 njs/test/njs_unit_test.c |   3 +++
 2 files changed, 5 insertions(+), 17 deletions(-)

diffs (51 lines):

diff -r 4e82cb630c69 -r 5a27272949d8 njs/njs_lexer.c
--- a/njs/njs_lexer.c	Sun Mar 10 22:25:59 2019 +0800
+++ b/njs/njs_lexer.c	Sun Mar 10 21:13:26 2019 +0300
@@ -371,7 +371,7 @@ njs_lexer_token_push(njs_vm_t *vm, njs_l
 {
     njs_lexer_token_t  *lt;
 
-    lt = nxt_mp_alloc(vm->mem_pool, sizeof(njs_lexer_token_t));
+    lt = nxt_mp_zalloc(vm->mem_pool, sizeof(njs_lexer_token_t));
     if (nxt_slow_path(lt == NULL)) {
         return NULL;
     }
@@ -542,24 +542,9 @@ njs_lexer_next_token(njs_lexer_t *lexer,
 
             /* Fall through. */
 
-        case NJS_TOKEN_BITWISE_NOT:
-        case NJS_TOKEN_OPEN_PARENTHESIS:
-        case NJS_TOKEN_CLOSE_PARENTHESIS:
-        case NJS_TOKEN_OPEN_BRACKET:
-        case NJS_TOKEN_CLOSE_BRACKET:
-        case NJS_TOKEN_OPEN_BRACE:
-        case NJS_TOKEN_CLOSE_BRACE:
-        case NJS_TOKEN_COMMA:
-        case NJS_TOKEN_COLON:
-        case NJS_TOKEN_SEMICOLON:
-        case NJS_TOKEN_CONDITIONAL:
+        default:
             lt->text.length = lexer->start - lt->text.start;
             return token;
-
-        case NJS_TOKEN_ILLEGAL:
-        default:
-            lexer->start--;
-            return token;
         }
 
     multi:
diff -r 4e82cb630c69 -r 5a27272949d8 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Sun Mar 10 22:25:59 2019 +0800
+++ b/njs/test/njs_unit_test.c	Sun Mar 10 21:13:26 2019 +0300
@@ -22,6 +22,9 @@ typedef struct {
 
 static njs_unit_test_t  njs_test[] =
 {
+    { nxt_string("@"),
+      nxt_string("SyntaxError: Unexpected token \"@\" in 1") },
+
     { nxt_string("}"),
       nxt_string("SyntaxError: Unexpected token \"}\" in 1") },
 


More information about the nginx-devel mailing list