git.kaiwu.me - njs.git/commit

author	Dmitry Volyntsev <xeioex@nginx.com>
	Thu, 26 Feb 2026 15:45:46 +0000 (07:45 -0800)
committer	Dmitry Volyntsev <xeioexception@gmail.com>
	Tue, 3 Mar 2026 16:01:10 +0000 (08:01 -0800)
commit	d92e1ee74caf1d4815559d31bcb51df20e20d9a3
tree	844c5b75c775ca812017ba8c8164212307d929b6	tree \| snapshot
parent	9e97ff87c681d99635e1e2637f748742c65912fc	commit \| diff

Fixed string offset map corruption in scope values hash.

The issue was introduced in e7caa46d (0.9.5). When compile-time
UTF-8 string constants were copied into the values hash in
njs_scope_value_index(), the string data layout was calculated
incorrectly: the map offset did not account for the null terminator
added in e7caa46d, the "size" variable was overwritten corrupting
the subsequent memcpy, and the offset map was never initialized
to zero.

This caused SEGV/SIGBUS crashes for any multi-byte UTF-8 string
constant with more than 32 characters when accessing a character
at index >= 32 (e.g. via .replace() or bracket notation). The bug
only manifested when the string byte size was 4-byte aligned, as
otherwise alignment padding absorbed the missing byte.

The fix factors out njs_string_data_size() and njs_string_data_init()
helpers shared by njs_string_alloc() and njs_scope_value_index(),
eliminating the duplicated layout logic that caused the divergence.

Found by Akshay Jain (akshaythe@gmail.com).

src/njs_scope.c		diff \| blob \| history
src/njs_string.c		diff \| blob \| history
src/njs_string.h		diff \| blob \| history
src/test/njs_unit_test.c		diff \| blob \| history