[njs] Fixed njs_array_convert_to_slow_array().
Dmitry Volyntsev
xeioex at nginx.com
Sat Jun 11 07:17:02 UTC 2022
details: https://hg.nginx.org/njs/rev/c6522ba4bd53
branches:
changeset: 1888:c6522ba4bd53
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Sat Jun 11 00:15:49 2022 -0700
description:
Fixed njs_array_convert_to_slow_array().
Previously, the function might free invalid pointer, as array->start is
not always points to the beginning of allocated memory block.
This closes #540 issue on Github.
diffstat:
src/njs_array.c | 2 +-
src/test/njs_unit_test.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletions(-)
diffs (28 lines):
diff -r 77758def397a -r c6522ba4bd53 src/njs_array.c
--- a/src/njs_array.c Sat Jun 11 00:15:30 2022 -0700
+++ b/src/njs_array.c Sat Jun 11 00:15:49 2022 -0700
@@ -165,7 +165,7 @@ njs_array_convert_to_slow_array(njs_vm_t
/* GC: release value. */
- njs_mp_free(vm->mem_pool, array->start);
+ njs_mp_free(vm->mem_pool, array->data);
array->start = NULL;
return NJS_OK;
diff -r 77758def397a -r c6522ba4bd53 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Sat Jun 11 00:15:30 2022 -0700
+++ b/src/test/njs_unit_test.c Sat Jun 11 00:15:49 2022 -0700
@@ -4743,6 +4743,12 @@ static njs_unit_test_t njs_test[] =
"a.shift(); a"),
njs_str("2,3") },
+ { njs_str("var arr = [1,2];"
+ "arr.shift();"
+ "arr[2**20] = 3;"
+ "arr[2**20]"),
+ njs_str("3") },
+
{ njs_str("var a = []; a.splice()"),
njs_str("") },
More information about the nginx-devel
mailing list