[njs] Fixed stack-use-after-scope in Array.prototype.map().
Alexander Borisov
alexander.borisov at nginx.com
Tue Sep 17 08:30:12 UTC 2019
details: https://hg.nginx.org/njs/rev/1293f464dcc7
branches:
changeset: 1161:1293f464dcc7
user: Alexander Borisov <alexander.borisov at nginx.com>
date: Tue Sep 17 11:29:10 2019 +0300
description:
Fixed stack-use-after-scope in Array.prototype.map().
In the njs_array_iterator() an args.value is replaced to value on stack
for non-object strings.
diffstat:
src/njs_array.c | 6 +++---
src/test/njs_unit_test.c | 3 +++
2 files changed, 6 insertions(+), 3 deletions(-)
diffs (32 lines):
diff -r d0d4fa8918ac -r 1293f464dcc7 src/njs_array.c
--- a/src/njs_array.c Tue Sep 17 09:20:24 2019 +0300
+++ b/src/njs_array.c Tue Sep 17 11:29:10 2019 +0300
@@ -1917,12 +1917,12 @@ njs_array_prototype_map(njs_vm_t *vm, nj
return ret;
}
- if (njs_is_array(iargs.value)
- && njs_object_hash_is_empty(iargs.value))
+ if (njs_is_array(&args[0])
+ && njs_object_hash_is_empty(&args[0]))
{
array = iargs.array;
- for (i = njs_array_len(iargs.value); i < length; i++) {
+ for (i = njs_array_len(&args[0]); i < length; i++) {
njs_set_invalid(&array->start[i]);
}
}
diff -r d0d4fa8918ac -r 1293f464dcc7 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Sep 17 09:20:24 2019 +0300
+++ b/src/test/njs_unit_test.c Tue Sep 17 11:29:10 2019 +0300
@@ -4506,6 +4506,9 @@ static njs_unit_test_t njs_test[] =
".every(x => x === true)"),
njs_str("true") },
+ { njs_str("Array.prototype.map.call('abcdef', (val, idx, obj) => {return val === 100})"),
+ njs_str("false,false,false,false,false,false") },
+
{ njs_str("var a = [];"
"a.reduce(function(p, v, i, a) { return p + v })"),
njs_str("TypeError: invalid index") },
More information about the nginx-devel
mailing list