[njs] Fixed information leak in Buffer.from().

Dmitry Volyntsev xeioex at nginx.com
Mon Dec 27 16:07:00 UTC 2021


details:   https://hg.nginx.org/njs/rev/752d3d8ab217
branches:  
changeset: 1789:752d3d8ab217
user:      Artem S. Povalyukhin <artem.povaluhin at gmail.com>
date:      Sat Dec 25 22:45:30 2021 +0300
description:
Fixed information leak in Buffer.from().

This closes #446 on Github.

diffstat:

 src/njs_buffer.c         |  23 +++--------------------
 src/test/njs_unit_test.c |   8 ++++++++
 2 files changed, 11 insertions(+), 20 deletions(-)

diffs (65 lines):

diff -r 2e544ef59092 -r 752d3d8ab217 src/njs_buffer.c
--- a/src/njs_buffer.c	Sat Dec 25 22:45:30 2021 +0300
+++ b/src/njs_buffer.c	Sat Dec 25 22:45:30 2021 +0300
@@ -339,8 +339,7 @@ njs_buffer_from_object(njs_vm_t *vm, njs
     uint32_t           i;
     njs_str_t          str;
     njs_int_t          ret;
-    njs_array_t        *array;
-    njs_value_t        retval, length;
+    njs_value_t        data, retval, length;
     njs_typed_array_t  *buffer;
 
     static const njs_value_t  string_length = njs_string("length");
@@ -379,7 +378,8 @@ next:
         }
 
         if (njs_is_object(&retval)) {
-            value = &retval;
+            njs_value_assign(&data, &retval);
+            value = &data;
             goto next;
         }
 
@@ -398,23 +398,6 @@ next:
 
     p = njs_typed_array_buffer(buffer)->u.u8;
 
-    if (njs_is_fast_array(value)) {
-        array = njs_array(value);
-
-        for (i = 0; i < array->length; i++) {
-            ret = njs_value_to_number(vm, &array->start[i], &num);
-            if (njs_slow_path(ret != NJS_OK)) {
-                return ret;
-            }
-
-            *p++ = njs_number_to_int32(num);
-        }
-
-        njs_set_typed_array(&vm->retval, buffer);
-
-        return NJS_OK;
-    }
-
     for (i = 0; i < len; i++) {
         ret = njs_value_property_i64(vm, value, i, &retval);
         if (njs_slow_path(ret == NJS_ERROR)) {
diff -r 2e544ef59092 -r 752d3d8ab217 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Sat Dec 25 22:45:30 2021 +0300
+++ b/src/test/njs_unit_test.c	Sat Dec 25 22:45:30 2021 +0300
@@ -19926,6 +19926,14 @@ static njs_unit_test_t  njs_buffer_modul
     { njs_str("Buffer.from({ type: 'Buffer', get data() { throw new Error('test'); } })"),
       njs_str("Error: test") },
 
+    { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 3; return 1; } };"
+              "njs.dump(Buffer.from(a))"),
+      njs_str("Buffer [1,1,3,0]") },
+
+    { njs_str("var a = [1,2,3,4]; a[1] = { valueOf() { a.length = 4096; a.fill(13); return 1; } };"
+              "njs.dump(Buffer.from(a))"),
+      njs_str("Buffer [1,1,13,13]") },
+
     { njs_str("["
              " ['6576696c', 'hex'],"
              " ['ZXZpbA==', 'base64'],"


More information about the nginx-devel mailing list