[njs] Fixed heap-buffer-overflow in String.prototype.lastIndexOf().

Dmitry Volyntsev xeioex at nginx.com
Tue May 14 16:34:19 UTC 2019


details:   https://hg.nginx.org/njs/rev/895f4887702d
branches:  
changeset: 963:895f4887702d
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Tue May 14 19:13:53 2019 +0300
description:
Fixed heap-buffer-overflow in String.prototype.lastIndexOf().

This closes #151 issue on Github.

diffstat:

 njs/njs_string.c         |   9 +++++++--
 njs/test/njs_unit_test.c |  10 ++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diffs (39 lines):

diff -r 1cce73676665 -r 895f4887702d njs/njs_string.c
--- a/njs/njs_string.c	Tue May 14 19:00:03 2019 +0300
+++ b/njs/njs_string.c	Tue May 14 19:13:53 2019 +0300
@@ -1831,8 +1831,13 @@ njs_string_prototype_last_index_of(njs_v
         }
     }
 
-    if (index > length) {
-        index = length;
+    if (search_length == 0) {
+        index = nxt_min(index, length);
+        goto done;
+    }
+
+    if (index >= length) {
+        index = length - 1;
     }
 
     if (string.size == (size_t) length) {
diff -r 1cce73676665 -r 895f4887702d njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Tue May 14 19:00:03 2019 +0300
+++ b/njs/test/njs_unit_test.c	Tue May 14 19:13:53 2019 +0300
@@ -5172,6 +5172,16 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("''.lastIndexOf(undefined)"),
       nxt_string("-1") },
 
+    { nxt_string("'β'.repeat(32).lastIndexOf('β')"),
+      nxt_string("31") },
+
+    { nxt_string("'β'.repeat(32).lastIndexOf``"),
+      nxt_string("32") },
+
+    { nxt_string("JSON.stringify(Array(24).fill(true).map((v,i) => 'abc abc ab abc абвгдежзab'.lastIndexOf('abc', i)))"
+                 "== JSON.stringify([].concat(Array(4).fill(0), Array(7).fill(4), Array(13).fill(11)))"),
+      nxt_string("true") },
+
     { nxt_string("''.includes('')"),
       nxt_string("true") },
 


More information about the nginx-devel mailing list