[njs] Fixed njs_object_property() with NJS_WHITEOUT properties.

Dmitry Volyntsev xeioex at nginx.com
Tue Feb 28 06:15:45 UTC 2023 

details:   https://hg.nginx.org/njs/rev/a79b6a75cfab
branches:  
changeset: 2055:a79b6a75cfab
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Mon Feb 27 22:14:36 2023 -0800
description:
Fixed njs_object_property() with NJS_WHITEOUT properties.

Previosly, an error object dumping might result in invalid pointer
dereference when 'name' or 'message' property of accessor descriptor
type was added and removed before.

The fix is to properly handle NJS_WHITEOUT properties.

This fixes #617 issue on Github.

diffstat:

 src/njs_object_prop.c    |   6 +++++-
 src/njs_value.c          |   9 ++++++---
 src/test/njs_unit_test.c |  10 ++++++++++
 3 files changed, 21 insertions(+), 4 deletions(-)

diffs (59 lines):

diff -r e4cef2c70d7c -r a79b6a75cfab src/njs_object_prop.c
--- a/src/njs_object_prop.c	Mon Feb 27 22:14:36 2023 -0800
+++ b/src/njs_object_prop.c	Mon Feb 27 22:14:36 2023 -0800
@@ -102,7 +102,11 @@ njs_object_property(njs_vm_t *vm, njs_ob
         ret = njs_lvlhsh_find(&object->hash, lhq);
 
         if (njs_fast_path(ret == NJS_OK)) {
-            goto found;
+            prop = lhq->value;
+
+            if (prop->type != NJS_WHITEOUT) {
+                goto found;
+            }
         }
 
         ret = njs_lvlhsh_find(&object->shared_hash, lhq);
diff -r e4cef2c70d7c -r a79b6a75cfab src/njs_value.c
--- a/src/njs_value.c	Mon Feb 27 22:14:36 2023 -0800
+++ b/src/njs_value.c	Mon Feb 27 22:14:36 2023 -0800
@@ -1487,13 +1487,16 @@ slow_path:
         return NJS_ERROR;
     }
 
-    /* GC: release value. */
     if (removed != NULL) {
-        njs_value_assign(removed, njs_prop_value(prop));
+        if (njs_is_valid(njs_prop_value(prop))) {
+            njs_value_assign(removed, njs_prop_value(prop));
+
+        } else {
+            njs_set_undefined(removed);
+        }
     }
 
     prop->type = NJS_WHITEOUT;
-    njs_set_invalid(njs_prop_value(prop));
 
     return NJS_OK;
 }
diff -r e4cef2c70d7c -r a79b6a75cfab src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Mon Feb 27 22:14:36 2023 -0800
+++ b/src/test/njs_unit_test.c	Mon Feb 27 22:14:36 2023 -0800
@@ -22855,6 +22855,16 @@ static njs_unit_test_t  njs_shell_test[]
     { njs_str("var a = []; Object.defineProperty(a, 'b', {enumerable: true, get: Object}); a" ENTER),
       njs_str("[\n b: '[Getter]'\n]") },
 
+    { njs_str("var e = Error()" ENTER
+              "Object.defineProperty(e, 'message', { configurable: true, set: Object })" ENTER
+              "delete e.message; e" ENTER),
+      njs_str("Error") },
+
+    { njs_str("var e = Error()" ENTER
+              "Object.defineProperty(e, 'message', { configurable: true, get(){ return 'foo'} })" ENTER
+              "e" ENTER),
+      njs_str("Error: foo") },
+
     /* Temporary indexes */
 
     { njs_str("var a = [1,2,3], i; for (i in a) {Object.seal({});}" ENTER),

More information about the nginx-devel mailing list