[njs] Fixed size uint32_t overflow in njs_array_expand().
Dmitry Volyntsev
xeioex at nginx.com
Thu Nov 22 14:39:04 UTC 2018
details: https://hg.nginx.org/njs/rev/3b2689be3a57
branches:
changeset: 664:3b2689be3a57
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Thu Nov 22 17:38:25 2018 +0300
description:
Fixed size uint32_t overflow in njs_array_expand().
diffstat:
njs/njs_array.c | 21 ++++++++++++++++-----
njs/test/njs_unit_test.c | 6 ++++++
nxt/nxt_mem_cache_pool.c | 3 ++-
3 files changed, 24 insertions(+), 6 deletions(-)
diffs (108 lines):
diff -r 987f7998a967 -r 3b2689be3a57 njs/njs_array.c
--- a/njs/njs_array.c Thu Nov 22 15:35:25 2018 +0300
+++ b/njs/njs_array.c Thu Nov 22 17:38:25 2018 +0300
@@ -6,6 +6,7 @@
#include <njs_core.h>
#include <string.h>
+#include <stdint.h>
typedef struct {
@@ -136,7 +137,7 @@ njs_array_alloc(njs_vm_t *vm, uint32_t l
size = (uint64_t) length + spare;
- if (nxt_slow_path((size * sizeof(njs_value_t)) >= 0xffffffff)) {
+ if (nxt_slow_path((size * sizeof(njs_value_t)) >= UINT32_MAX)) {
goto memory_error;
}
@@ -201,11 +202,12 @@ njs_array_string_add(njs_vm_t *vm, njs_a
njs_ret_t
njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend,
- uint32_t size)
+ uint32_t new_size)
{
+ uint64_t size;
njs_value_t *start, *old;
- size += array->length;
+ size = (uint64_t) new_size + array->length;
if (nxt_fast_path(size <= array->size && prepend == 0)) {
return NXT_OK;
@@ -218,11 +220,14 @@ njs_array_expand(njs_vm_t *vm, njs_array
size += size / 2;
}
+ if (nxt_slow_path(((prepend + size) * sizeof(njs_value_t)) >= UINT32_MAX)) {
+ goto memory_error;
+ }
+
start = nxt_mem_cache_align(vm->mem_cache_pool, sizeof(njs_value_t),
(prepend + size) * sizeof(njs_value_t));
if (nxt_slow_path(start == NULL)) {
- njs_memory_error(vm);
- return NXT_ERROR;
+ goto memory_error;
}
array->size = size;
@@ -238,6 +243,12 @@ njs_array_expand(njs_vm_t *vm, njs_array
nxt_mem_cache_free(vm->mem_cache_pool, old);
return NXT_OK;
+
+memory_error:
+
+ njs_memory_error(vm);
+
+ return NXT_ERROR;
}
diff -r 987f7998a967 -r 3b2689be3a57 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Thu Nov 22 15:35:25 2018 +0300
+++ b/njs/test/njs_unit_test.c Thu Nov 22 17:38:25 2018 +0300
@@ -2905,6 +2905,9 @@ static njs_unit_test_t njs_test[] =
nxt_string("0:0,1:1,2:2,null:null,undefined:defined,false:false,"
"true:true,Infinity:Infinity,-Infinity:-Infinity,NaN:NaN,") },
+ { nxt_string("--[][3e9]"),
+ nxt_string("MemoryError") },
+
{ nxt_string("[].length"),
nxt_string("0") },
@@ -2933,6 +2936,9 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("[].length = 2**32 - 1"),
nxt_string("MemoryError") },
+ { nxt_string("[].length = 3e9"),
+ nxt_string("MemoryError") },
+
{ nxt_string("Object.defineProperty([], 'length',{value: 2**32 - 1})"),
nxt_string("MemoryError") },
diff -r 987f7998a967 -r 3b2689be3a57 nxt/nxt_mem_cache_pool.c
--- a/nxt/nxt_mem_cache_pool.c Thu Nov 22 15:35:25 2018 +0300
+++ b/nxt/nxt_mem_cache_pool.c Thu Nov 22 17:38:25 2018 +0300
@@ -14,6 +14,7 @@
#include <nxt_rbtree.h>
#include <nxt_mem_cache_pool.h>
#include <string.h>
+#include <stdint.h>
/*
@@ -586,7 +587,7 @@ nxt_mem_cache_alloc_large(nxt_mem_cache_
nxt_mem_cache_block_t *block;
/* Allocation must be less than 4G. */
- if (nxt_slow_path(size >= 0xffffffff)) {
+ if (nxt_slow_path(size >= UINT32_MAX)) {
return NULL;
}
More information about the nginx-devel
mailing list