[njs] Fixed overflow in Array.prototype.concat().

Alexander Borisov alexander.borisov at nginx.com
Fri Apr 19 17:12:04 UTC 2019


details:   https://hg.nginx.org/njs/rev/8f87e3ef4a4d
branches:  
changeset: 913:8f87e3ef4a4d
user:      Alexander Borisov <alexander.borisov at nginx.com>
date:      Fri Apr 19 17:24:29 2019 +0300
description:
Fixed overflow in Array.prototype.concat().

This closes #131 issue on GitHub.

diffstat:

 njs/njs_array.c          |  2 +-
 njs/test/njs_unit_test.c |  8 ++++++++
 2 files changed, 9 insertions(+), 1 deletions(-)

diffs (30 lines):

diff -r 434c654ef638 -r 8f87e3ef4a4d njs/njs_array.c
--- a/njs/njs_array.c	Fri Apr 19 17:48:39 2019 +0300
+++ b/njs/njs_array.c	Fri Apr 19 17:24:29 2019 +0300
@@ -1125,7 +1125,7 @@ static njs_ret_t
 njs_array_prototype_concat(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
     njs_index_t unused)
 {
-    size_t       length;
+    uint64_t     length;
     nxt_uint_t   i;
     njs_value_t  *value;
     njs_array_t  *array;
diff -r 434c654ef638 -r 8f87e3ef4a4d njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Fri Apr 19 17:48:39 2019 +0300
+++ b/njs/test/njs_unit_test.c	Fri Apr 19 17:24:29 2019 +0300
@@ -7956,6 +7956,14 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("var x = Array(2**28)"),
       nxt_string("MemoryError") },
 
+    { nxt_string("var r; try {"
+                 "    var x = Array(2**27), y = Array(2**5).fill(x);"
+                 "    Array.prototype.concat.apply(y[0], y.slice(1));"
+                 "} catch (e) {"
+                 "    r = e.name == 'InternalError' || e.name == 'RangeError'"
+                 "} r"),
+      nxt_string("true") },
+
     { nxt_string("var a = new Array(3); a"),
       nxt_string(",,") },
 


More information about the nginx-devel mailing list