]> git.kaiwu.me - njs.git/commit
projects / njs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dd7ab06) | patch
Fixed heap-buffer-overflow for RegExp.prototype[Symbol.replace].
authorAlexander Borisov <alexander.borisov@nginx.com>
Tue, 13 Oct 2020 12:44:33 +0000 (15:44 +0300)
committerAlexander Borisov <alexander.borisov@nginx.com>
Tue, 13 Oct 2020 12:44:33 +0000 (15:44 +0300)
commit495c0c1bbf7c952a74ef180d1ff8da8e4983c5f7
tree6c02da2686b5dbe54335e8f9f565882d3e12649dtree | snapshot
parentdd7ab069c801dc83cfc0222cc692c34c7d248da1commit | diff
Fixed heap-buffer-overflow for RegExp.prototype[Symbol.replace].

Previously, RegExp.prototype[Symbol.replace] might overrun the boundaries
of the result of the custom "exec" method for a RegExp argument. The
issue occurred when the result object had zero length.  The length is
used to create an array and the zero index was always written without
respect for the length resulting is heap-buffer-overflow.

The issue was introduced in 1c729f765cfb.
src/njs_regexp.c diff | blob | history
src/test/njs_unit_test.c diff | blob | history
njs upstream