[njs] Fixed overflow in Array.prototype.concat().
Alexander Borisov
alexander.borisov at nginx.com
Fri Apr 19 17:12:04 UTC 2019
details: https://hg.nginx.org/njs/rev/8f87e3ef4a4d
branches:
changeset: 913:8f87e3ef4a4d
user: Alexander Borisov <alexander.borisov at nginx.com>
date: Fri Apr 19 17:24:29 2019 +0300
description:
Fixed overflow in Array.prototype.concat().
This closes #131 issue on GitHub.
diffstat:
njs/njs_array.c | 2 +-
njs/test/njs_unit_test.c | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletions(-)
diffs (30 lines):
diff -r 434c654ef638 -r 8f87e3ef4a4d njs/njs_array.c
--- a/njs/njs_array.c Fri Apr 19 17:48:39 2019 +0300
+++ b/njs/njs_array.c Fri Apr 19 17:24:29 2019 +0300
@@ -1125,7 +1125,7 @@ static njs_ret_t
njs_array_prototype_concat(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
njs_index_t unused)
{
- size_t length;
+ uint64_t length;
nxt_uint_t i;
njs_value_t *value;
njs_array_t *array;
diff -r 434c654ef638 -r 8f87e3ef4a4d njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Fri Apr 19 17:48:39 2019 +0300
+++ b/njs/test/njs_unit_test.c Fri Apr 19 17:24:29 2019 +0300
@@ -7956,6 +7956,14 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("var x = Array(2**28)"),
nxt_string("MemoryError") },
+ { nxt_string("var r; try {"
+ " var x = Array(2**27), y = Array(2**5).fill(x);"
+ " Array.prototype.concat.apply(y[0], y.slice(1));"
+ "} catch (e) {"
+ " r = e.name == 'InternalError' || e.name == 'RangeError'"
+ "} r"),
+ nxt_string("true") },
+
{ nxt_string("var a = new Array(3); a"),
nxt_string(",,") },
More information about the nginx-devel
mailing list