[njs] Fixed potential integer-overflow in String.prototype.replace().
Dmitry Volyntsev
xeioex at nginx.com
Mon Feb 17 14:01:49 UTC 2020
details: https://hg.nginx.org/njs/rev/d2877d602d39
branches:
changeset: 1329:d2877d602d39
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Mon Feb 17 16:18:40 2020 +0300
description:
Fixed potential integer-overflow in String.prototype.replace().
diffstat:
src/njs_string.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diffs (20 lines):
diff -r db3a66bd71c1 -r d2877d602d39 src/njs_string.c
--- a/src/njs_string.c Mon Feb 17 16:18:38 2020 +0300
+++ b/src/njs_string.c Mon Feb 17 16:18:40 2020 +0300
@@ -3672,10 +3672,16 @@ njs_string_replace_regexp_function(njs_v
njs_value_t *arguments;
njs_string_prop_t string;
+ if (njs_slow_path((n + 3) >= UINT32_MAX / sizeof(njs_value_t))) {
+ njs_memory_error(vm);
+ return NJS_ERROR;
+ }
+
njs_set_invalid(&r->retval);
arguments = njs_mp_alloc(vm->mem_pool, (n + 3) * sizeof(njs_value_t));
if (njs_slow_path(arguments == NULL)) {
+ njs_memory_error(vm);
return NJS_ERROR;
}
More information about the nginx-devel
mailing list