[njs] Fixed heap-buffer-overflow in String.prototype.lastIndexOf().
Dmitry Volyntsev
xeioex at nginx.com
Tue May 14 16:34:19 UTC 2019
details: https://hg.nginx.org/njs/rev/895f4887702d
branches:
changeset: 963:895f4887702d
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Tue May 14 19:13:53 2019 +0300
description:
Fixed heap-buffer-overflow in String.prototype.lastIndexOf().
This closes #151 issue on Github.
diffstat:
njs/njs_string.c | 9 +++++++--
njs/test/njs_unit_test.c | 10 ++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)
diffs (39 lines):
diff -r 1cce73676665 -r 895f4887702d njs/njs_string.c
--- a/njs/njs_string.c Tue May 14 19:00:03 2019 +0300
+++ b/njs/njs_string.c Tue May 14 19:13:53 2019 +0300
@@ -1831,8 +1831,13 @@ njs_string_prototype_last_index_of(njs_v
}
}
- if (index > length) {
- index = length;
+ if (search_length == 0) {
+ index = nxt_min(index, length);
+ goto done;
+ }
+
+ if (index >= length) {
+ index = length - 1;
}
if (string.size == (size_t) length) {
diff -r 1cce73676665 -r 895f4887702d njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c Tue May 14 19:00:03 2019 +0300
+++ b/njs/test/njs_unit_test.c Tue May 14 19:13:53 2019 +0300
@@ -5172,6 +5172,16 @@ static njs_unit_test_t njs_test[] =
{ nxt_string("''.lastIndexOf(undefined)"),
nxt_string("-1") },
+ { nxt_string("'β'.repeat(32).lastIndexOf('β')"),
+ nxt_string("31") },
+
+ { nxt_string("'β'.repeat(32).lastIndexOf``"),
+ nxt_string("32") },
+
+ { nxt_string("JSON.stringify(Array(24).fill(true).map((v,i) => 'abc abc ab abc абвгдежзab'.lastIndexOf('abc', i)))"
+ "== JSON.stringify([].concat(Array(4).fill(0), Array(7).fill(4), Array(13).fill(11)))"),
+ nxt_string("true") },
+
{ nxt_string("''.includes('')"),
nxt_string("true") },
More information about the nginx-devel
mailing list