[njs] Fixed allocation of large array literals.

Dmitry Volyntsev xeioex at nginx.com
Mon Feb 21 16:55:02 UTC 2022 

details:   https://hg.nginx.org/njs/rev/805c1c96a2d2
branches:  
changeset: 1831:805c1c96a2d2
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Mon Feb 21 16:53:16 2022 +0000
description:
Fixed allocation of large array literals.

Previously, allocation of large array literals may result in
null-pointer dereference. The reason is that njs_array_alloc() may
return a slow array when size is large enough, but the instruction
code assumes that array is always flat.

The fix is to check fast_array flag before accessing array->start.

This closes #473 issue on Github.

diffstat:

 src/njs_vmcode.c         |  18 ++++++++++--------
 src/test/njs_unit_test.c |   4 ++++
 2 files changed, 14 insertions(+), 8 deletions(-)

diffs (42 lines):

diff -r eb8689f0a850 -r 805c1c96a2d2 src/njs_vmcode.c
--- a/src/njs_vmcode.c	Mon Feb 21 16:52:59 2022 +0000
+++ b/src/njs_vmcode.c	Mon Feb 21 16:53:16 2022 +0000
@@ -1055,14 +1055,16 @@ njs_vmcode_array(njs_vm_t *vm, u_char *p
 
         if (code->ctor) {
             /* Array of the form [,,,], [1,,]. */
-            value = array->start;
-            length = array->length;
-
-            do {
-                njs_set_invalid(value);
-                value++;
-                length--;
-            } while (length != 0);
+            if (array->object.fast_array) {
+                value = array->start;
+                length = array->length;
+
+                do {
+                    njs_set_invalid(value);
+                    value++;
+                    length--;
+                } while (length != 0);
+            }
 
         } else {
             /* Array of the form [], [,,1], [1,2,3]. */
diff -r eb8689f0a850 -r 805c1c96a2d2 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Mon Feb 21 16:52:59 2022 +0000
+++ b/src/test/njs_unit_test.c	Mon Feb 21 16:53:16 2022 +0000
@@ -13154,6 +13154,10 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("(new Function('return 5' + '** 1'.repeat(2**13)))()"),
       njs_str("5") },
 
+    { njs_str("var a = (new Function('return [' + ','.repeat(2**16) + ']'))();"
+			  "njs.dump(a)"),
+      njs_str("[<65536 empty items>]") },
+
     { njs_str("(new Function('var a = 7; return a' + '= a'.repeat(2**13)))()"),
       njs_str("7") },

More information about the nginx-devel mailing list