[njs] Fixed stack-use-after-scope in Array.prototype.map().

Alexander Borisov alexander.borisov at nginx.com
Tue Sep 17 08:30:12 UTC 2019


details:   https://hg.nginx.org/njs/rev/1293f464dcc7
branches:  
changeset: 1161:1293f464dcc7
user:      Alexander Borisov <alexander.borisov at nginx.com>
date:      Tue Sep 17 11:29:10 2019 +0300
description:
Fixed stack-use-after-scope in Array.prototype.map().

In the njs_array_iterator() an args.value is replaced to value on stack
for non-object strings.

diffstat:

 src/njs_array.c          |  6 +++---
 src/test/njs_unit_test.c |  3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diffs (32 lines):

diff -r d0d4fa8918ac -r 1293f464dcc7 src/njs_array.c
--- a/src/njs_array.c	Tue Sep 17 09:20:24 2019 +0300
+++ b/src/njs_array.c	Tue Sep 17 11:29:10 2019 +0300
@@ -1917,12 +1917,12 @@ njs_array_prototype_map(njs_vm_t *vm, nj
             return ret;
         }
 
-        if (njs_is_array(iargs.value)
-            && njs_object_hash_is_empty(iargs.value))
+        if (njs_is_array(&args[0])
+            && njs_object_hash_is_empty(&args[0]))
         {
             array = iargs.array;
 
-            for (i = njs_array_len(iargs.value); i < length; i++) {
+            for (i = njs_array_len(&args[0]); i < length; i++) {
                 njs_set_invalid(&array->start[i]);
             }
         }
diff -r d0d4fa8918ac -r 1293f464dcc7 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Tue Sep 17 09:20:24 2019 +0300
+++ b/src/test/njs_unit_test.c	Tue Sep 17 11:29:10 2019 +0300
@@ -4506,6 +4506,9 @@ static njs_unit_test_t  njs_test[] =
               ".every(x => x === true)"),
       njs_str("true") },
 
+    { njs_str("Array.prototype.map.call('abcdef', (val, idx, obj) => {return val === 100})"),
+      njs_str("false,false,false,false,false,false") },
+
     { njs_str("var a = [];"
                  "a.reduce(function(p, v, i, a) { return p + v })"),
       njs_str("TypeError: invalid index") },


More information about the nginx-devel mailing list