[njs] Fixed heap-buffer-overflow in toUpperCase() and toLowerCase().

Dmitry Volyntsev xeioex at nginx.com
Thu May 30 14:14:49 UTC 2019 

details:   https://hg.nginx.org/njs/rev/cc9a99f09b51
branches:  
changeset: 995:cc9a99f09b51
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Thu May 30 16:46:26 2019 +0300
description:
Fixed heap-buffer-overflow in toUpperCase() and toLowerCase().

In String.prototype. This closes #162 issue on Github.

diffstat:

 njs/njs_string.c         |  18 ++++++++++--------
 njs/test/njs_unit_test.c |   8 ++++----
 2 files changed, 14 insertions(+), 12 deletions(-)

diffs (76 lines):

diff -r b6ecd0086ed3 -r cc9a99f09b51 njs/njs_string.c
--- a/njs/njs_string.c	Thu May 30 16:16:22 2019 +0300
+++ b/njs/njs_string.c	Thu May 30 16:46:26 2019 +0300
@@ -2171,7 +2171,7 @@ static njs_ret_t
 njs_string_prototype_to_lower_case(njs_vm_t *vm, njs_value_t *args,
     nxt_uint_t nargs, njs_index_t unused)
 {
-    size_t             size;
+    size_t             size, length;
     u_char             *p, *start;
     const u_char       *s, *end;
     njs_string_prop_t  string;
@@ -2198,10 +2198,11 @@ njs_string_prototype_to_lower_case(njs_v
     } else {
         /* UTF-8 string. */
         end = s + size;
-
-        while (size != 0) {
+        length = string.length;
+
+        while (length != 0) {
             p = nxt_utf8_encode(p, nxt_utf8_lower_case(&s, end));
-            size--;
+            length--;
         }
     }
 
@@ -2219,7 +2220,7 @@ static njs_ret_t
 njs_string_prototype_to_upper_case(njs_vm_t *vm, njs_value_t *args,
     nxt_uint_t nargs, njs_index_t unused)
 {
-    size_t             size;
+    size_t             size, length;
     u_char             *p, *start;
     const u_char       *s, *end;
     njs_string_prop_t  string;
@@ -2246,10 +2247,11 @@ njs_string_prototype_to_upper_case(njs_v
     } else {
         /* UTF-8 string. */
         end = s + size;
-
-        while (size != 0) {
+        length = string.length;
+
+        while (length != 0) {
             p = nxt_utf8_encode(p, nxt_utf8_upper_case(&s, end));
-            size--;
+            length--;
         }
     }
 
diff -r b6ecd0086ed3 -r cc9a99f09b51 njs/test/njs_unit_test.c
--- a/njs/test/njs_unit_test.c	Thu May 30 16:16:22 2019 +0300
+++ b/njs/test/njs_unit_test.c	Thu May 30 16:46:26 2019 +0300
@@ -5277,8 +5277,8 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("'абв абв абвгдежз'.endsWith('абвгд', 14)"),
       nxt_string("false") },
 
-    { nxt_string("'ABC'.toLowerCase()"),
-      nxt_string("abc") },
+    { nxt_string("'\x00АБВГДЕЁЖЗ'.toLowerCase().length"),
+      nxt_string("10") },
 
     { nxt_string("'ΑΒΓ'.toLowerCase()"),
       nxt_string("αβγ") },
@@ -5292,8 +5292,8 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("'αβγ'.toUpperCase()"),
       nxt_string("ΑΒΓ") },
 
-    { nxt_string("'абв'.toUpperCase()"),
-      nxt_string("АБВ") },
+    { nxt_string("'\x00абвгдеёжз'.toUpperCase().length"),
+      nxt_string("10") },
 
     { nxt_string("var a = [], code;"
                  "for (code = 0; code <= 1114111; code++) {"

More information about the nginx-devel mailing list