[njs] Fixed heap-use-after-free in JSON.stringify().
Alexander Borisov
alexander.borisov at nginx.com
Tue Oct 6 17:52:30 UTC 2020
details: https://hg.nginx.org/njs/rev/da7b98611f57
branches:
changeset: 1536:da7b98611f57
user: Alexander Borisov <alexander.borisov at nginx.com>
date: Tue Oct 06 20:24:21 2020 +0300
description:
Fixed heap-use-after-free in JSON.stringify().
njs_json_stringify_iterator() assumed, while stringifying flat arrays, that a
flat array will always remain flat. This is not the case for flat arrays with
values with custom getters which may modify the enclosing array upon
invocation.
This closes #322 issue on GitHub.
diffstat:
src/njs_json.c | 13 ++++++++++++-
src/test/njs_unit_test.c | 7 +++++++
2 files changed, 19 insertions(+), 1 deletions(-)
diffs (40 lines):
diff -r 119064deed61 -r da7b98611f57 src/njs_json.c
--- a/src/njs_json.c Tue Oct 06 19:53:26 2020 +0300
+++ b/src/njs_json.c Tue Oct 06 20:24:21 2020 +0300
@@ -1296,7 +1296,18 @@ njs_json_stringify_iterator(njs_vm_t *vm
njs_json_stringify_indent(stringify, &chain, 0);
}
- stringify->retval = njs_array_start(&state->value)[state->index++];
+ if (njs_is_fast_array(&state->value)) {
+ value = njs_array_start(&state->value);
+ stringify->retval = value[state->index++];
+
+ } else {
+ ret = njs_value_property_i64(vm, &state->value, state->index++,
+ &stringify->retval);
+ if (njs_slow_path(ret == NJS_ERROR)) {
+ return ret;
+ }
+ }
+
value = &stringify->retval;
ret = njs_json_stringify_to_json(stringify, state, NULL, value);
diff -r 119064deed61 -r da7b98611f57 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Oct 06 19:53:26 2020 +0300
+++ b/src/test/njs_unit_test.c Tue Oct 06 20:24:21 2020 +0300
@@ -16848,6 +16848,13 @@ static njs_unit_test_t njs_test[] =
{ njs_str("var a = {}; a.a = a; JSON.stringify(a)"),
njs_str("TypeError: Nested too deep or a cyclic structure") },
+ { njs_str("var array = [1,2,3];"
+ "array[1] = {get value() {"
+ " Object.defineProperty(array, '2', {get: () => 10}) }"
+ "};"
+ "JSON.stringify(array)"),
+ njs_str("[1,{},10]") },
+
/* njs.dump(). */
{ njs_str("njs.dump({a:1, b:[1,,2,{c:new Boolean(1)}]})"),
More information about the nginx-devel
mailing list