[njs] Fixed heap-use-after-free introduced in 045ba10db769.
Dmitry Volyntsev
xeioex at nginx.com
Wed Jan 16 15:55:34 UTC 2019
details: https://hg.nginx.org/njs/rev/4c0de77ef946
branches:
changeset: 728:4c0de77ef946
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Wed Jan 16 18:55:16 2019 +0300
description:
Fixed heap-use-after-free introduced in 045ba10db769.
diffstat:
njs/njs_function.c | 3 ++-
njs/njs_vm.c | 5 ++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diffs (48 lines):
diff -r fb2c2bca61c2 -r 4c0de77ef946 njs/njs_function.c
--- a/njs/njs_function.c Fri Jan 11 19:20:38 2019 +0800
+++ b/njs/njs_function.c Wed Jan 16 18:55:16 2019 +0300
@@ -528,7 +528,6 @@ njs_function_native_call(njs_vm_t *vm, n
frame = vm->top_frame;
vm->top_frame = njs_function_previous_frame(frame);
- njs_function_frame_free(vm, frame);
/*
* If a retval is in a callee arguments scope it
@@ -552,6 +551,8 @@ njs_function_native_call(njs_vm_t *vm, n
*value = vm->retval;
}
+ njs_function_frame_free(vm, frame);
+
return NXT_OK;
}
diff -r fb2c2bca61c2 -r 4c0de77ef946 njs/njs_vm.c
--- a/njs/njs_vm.c Fri Jan 11 19:20:38 2019 +0800
+++ b/njs/njs_vm.c Wed Jan 16 18:55:16 2019 +0300
@@ -2287,12 +2287,15 @@ const njs_vmcode_generic_t njs_continua
static njs_ret_t
njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
{
+ u_char *return_address;
njs_ret_t ret;
njs_native_frame_t *frame;
njs_continuation_t *cont;
frame = vm->top_frame;
+
cont = njs_vm_continuation(vm);
+ return_address = cont->return_address;
ret = njs_function_native_call(vm, cont->function, frame->arguments,
cont->args_types, frame->nargs,
@@ -2300,7 +2303,7 @@ njs_vmcode_continuation(njs_vm_t *vm, nj
switch (ret) {
case NXT_OK:
- vm->current = cont->return_address;
+ vm->current = return_address;
/* Fall through. */
case NJS_APPLIED:
More information about the nginx-devel
mailing list