[njs] A fix in Array.prototype.splice() function.

Fri Oct 21 20:05:31 UTC 2016

details:   http://hg.nginx.org/njs/rev/7685bf403554
branches:  
changeset: 210:7685bf403554
user:      Igor Sysoev <igor at sysoev.ru>
date:      Fri Oct 21 23:03:02 2016 +0300
description:
A fix in Array.prototype.splice() function.

Found with afl-fuzz.

diffstat:

 njs/njs_array.c          |  39 ++++++++++++++++++++++++++++-----------
 njs/test/njs_unit_test.c |   9 +++++++++
 2 files changed, 37 insertions(+), 11 deletions(-)

diffs (97 lines):

diff -r b290544f11bc -r 7685bf403554 njs/njs_array.c

--- a/njs/njs_array.c	Thu Oct 20 17:12:42 2016 +0300
+++ b/njs/njs_array.c	Fri Oct 21 23:03:02 2016 +0300
@@ -574,8 +574,8 @@ njs_array_prototype_splice(njs_vm_t *vm,
     njs_index_t unused)
 {
     njs_ret_t    ret;
-    nxt_int_t    items, delta;
-    nxt_uint_t   i, n, start, delete, length;
+    nxt_int_t    n, start, length, items, delta, delete;
+    nxt_uint_t   i;
     njs_array_t  *array, *deleted;
 
     array = NULL;
@@ -584,19 +584,33 @@ njs_array_prototype_splice(njs_vm_t *vm,
 
     if (njs_is_array(&args[0])) {
         array = args[0].data.u.array;
+        length = array->length;
 
         if (nargs > 1) {
             start = args[1].data.u.number;
 
-            if (start > array->length) {
-                start = array->length;
+            if (start < 0) {
+                start += length;
+
+                if (start < 0) {
+                    start = 0;
+                }
+
+            } else if (start > length) {
+                start = length;
             }
 
+            delete = length - start;
+
             if (nargs > 2) {
-                delete = args[2].data.u.number;
+                n = args[2].data.u.number;
 
-            } else {
-                delete = array->length - start;
+                if (n < 0) {
+                    delete = 0;
+
+                } else if (n < delete) {
+                    delete = n;
+                }
             }
         }
     }
@@ -606,17 +620,20 @@ njs_array_prototype_splice(njs_vm_t *vm,
         return NXT_ERROR;
     }
 
-    if (array != NULL && (delete != 0 || nargs > 3)) {
-        length = array->length;
+    if (array != NULL && (delete >= 0 || nargs > 3)) {
 
         /* Move deleted items to a new array to return. */
-        for (i = 0, n = start; i < delete && n < length; i++, n++) {
+        for (i = 0, n = start; i < (nxt_uint_t) delete; i++, n++) {
             /* No retention required. */
             deleted->start[i] = array->start[n];
         }
 
         items = nargs - 3;
-        items = items >= 0 ? items : 0;
+
+        if (items < 0) {
+            items = 0;
+        }
+
         delta = items - delete;
 
         if (delta != 0) {
diff -r b290544f11bc -r 7685bf403554 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Thu Oct 20 17:12:42 2016 +0300
+++ b/njs/test/njs_unit_test.c	Fri Oct 21 23:03:02 2016 +0300
@@ -2316,6 +2316,15 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("var a = []; a.splice()"),
       nxt_string("") },
 
+    { nxt_string("[].splice(0,5,0)"),
+      nxt_string("") },
+
+    { nxt_string("[1,2,3,4,5].splice(-2,3,0)"),
+      nxt_string("4,5") },
+
+    { nxt_string("[].__proto__.splice(0,1,0)"),
+      nxt_string("") },
+
     { nxt_string("var a = [];"
                  "a.splice(9,0,1,2).join(':') + '|' + a"),
       nxt_string("|1,2") },

