[njs] Fixed potential heap-buffer-overflow in njs_vm_value().

Dmitry Volyntsev xeioex at nginx.com
Fri Apr 10 11:16:01 UTC 2020


details:   https://hg.nginx.org/njs/rev/5f4adb155dcf
branches:  
changeset: 1368:5f4adb155dcf
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Fri Apr 10 11:15:12 2020 +0000
description:
Fixed potential heap-buffer-overflow in njs_vm_value().

The issue was introduced in 7ccb8b32cc02.

diffstat:

 src/njs_vm.c             |   2 +-
 src/test/njs_unit_test.c |  14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diffs (43 lines):

diff -r 7ccb8b32cc02 -r 5f4adb155dcf src/njs_vm.c
--- a/src/njs_vm.c	Wed Apr 08 13:15:02 2020 +0000
+++ b/src/njs_vm.c	Fri Apr 10 11:15:12 2020 +0000
@@ -593,7 +593,7 @@ njs_vm_value(njs_vm_t *vm, const njs_str
     njs_set_object(&value, &vm->global_object);
 
     for ( ;; ) {
-        p = njs_strchr(start, '.');
+        p = njs_strlchr(start, end, '.');
 
         size = ((p != NULL) ? p : end) - start;
         if (njs_slow_path(size == 0)) {
diff -r 7ccb8b32cc02 -r 5f4adb155dcf src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Wed Apr 08 13:15:02 2020 +0000
+++ b/src/test/njs_unit_test.c	Fri Apr 10 11:15:12 2020 +0000
@@ -17472,7 +17472,7 @@ njs_vm_value_test(njs_opts_t *opts, njs_
 {
     njs_vm_t      *vm;
     njs_int_t     ret;
-    njs_str_t     s, *script;
+    njs_str_t     s, *script, path;
     njs_uint_t    i;
     njs_bool_t    success;
     njs_stat_t    prev;
@@ -17564,7 +17564,17 @@ njs_vm_value_test(njs_opts_t *opts, njs_
             goto done;
         }
 
-        ret = njs_vm_value(vm, &tests[i].path, &vm->retval);
+        path = tests[i].path;
+
+        path.start = njs_mp_alloc(vm->mem_pool, path.length);
+        if (path.start == NULL) {
+            njs_printf("njs_mp_alloc() failed\n");
+            goto done;
+        }
+
+        memcpy(path.start, tests[i].path.start, path.length);
+
+        ret = njs_vm_value(vm, &path, &vm->retval);
 
         if (njs_vm_retval_string(vm, &s) != NJS_OK) {
             njs_printf("njs_vm_retval_string() failed\n");


More information about the nginx-devel mailing list