[njs] Fixed heap-use-after-free in JSON.stringify().

Alexander Borisov alexander.borisov at nginx.com
Tue Oct 6 17:52:30 UTC 2020


details:   https://hg.nginx.org/njs/rev/da7b98611f57
branches:  
changeset: 1536:da7b98611f57
user:      Alexander Borisov <alexander.borisov at nginx.com>
date:      Tue Oct 06 20:24:21 2020 +0300
description:
Fixed heap-use-after-free in JSON.stringify().

njs_json_stringify_iterator() assumed, while stringifying flat arrays, that a
flat array will always remain flat.  This is not the case for flat arrays with
values with custom getters which may modify the enclosing array upon
invocation.

This closes #322 issue on GitHub.

diffstat:

 src/njs_json.c           |  13 ++++++++++++-
 src/test/njs_unit_test.c |   7 +++++++
 2 files changed, 19 insertions(+), 1 deletions(-)

diffs (40 lines):

diff -r 119064deed61 -r da7b98611f57 src/njs_json.c
--- a/src/njs_json.c	Tue Oct 06 19:53:26 2020 +0300
+++ b/src/njs_json.c	Tue Oct 06 20:24:21 2020 +0300
@@ -1296,7 +1296,18 @@ njs_json_stringify_iterator(njs_vm_t *vm
                 njs_json_stringify_indent(stringify, &chain, 0);
             }
 
-            stringify->retval = njs_array_start(&state->value)[state->index++];
+            if (njs_is_fast_array(&state->value)) {
+                value = njs_array_start(&state->value);
+                stringify->retval = value[state->index++];
+
+            } else {
+                ret = njs_value_property_i64(vm, &state->value, state->index++,
+                                             &stringify->retval);
+                if (njs_slow_path(ret == NJS_ERROR)) {
+                    return ret;
+                }
+            }
+
             value = &stringify->retval;
 
             ret = njs_json_stringify_to_json(stringify, state, NULL, value);
diff -r 119064deed61 -r da7b98611f57 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Tue Oct 06 19:53:26 2020 +0300
+++ b/src/test/njs_unit_test.c	Tue Oct 06 20:24:21 2020 +0300
@@ -16848,6 +16848,13 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("var a = {}; a.a = a; JSON.stringify(a)"),
       njs_str("TypeError: Nested too deep or a cyclic structure") },
 
+    { njs_str("var array = [1,2,3];"
+              "array[1] = {get value() {"
+              "    Object.defineProperty(array, '2', {get: () => 10}) }"
+              "};"
+              "JSON.stringify(array)"),
+      njs_str("[1,{},10]") },
+
     /* njs.dump(). */
 
     { njs_str("njs.dump({a:1, b:[1,,2,{c:new Boolean(1)}]})"),


More information about the nginx-devel mailing list