Fixed potential heap-buffer-overflow in njs_vm_value().

The issue was introduced in 7ccb8b32cc02.

diff --git a/src/njs_vm.c b/src/njs_vm.c
index 4d98e402b0f1a01bfeb65bb0d50232bb5d31b02b..f3551941b70adf4a7fd3ff07c694d530e4799348 100644 (file)
--- a/src/njs_vm.c
+++ b/src/njs_vm.c
@@ -593,7 +593,7 @@ njs_vm_value(njs_vm_t *vm, const njs_str_t *path, njs_value_t *retval)
     njs_set_object(&value, &vm->global_object);
 
     for ( ;; ) {
-        p = njs_strchr(start, '.');
+        p = njs_strlchr(start, end, '.');
 
         size = ((p != NULL) ? p : end) - start;
         if (njs_slow_path(size == 0)) {

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 37dd63a793305c8b1374d09047ec7dae41ad539f..8e0a0013efe331e23e57d1ffa10f8b1bd3ec203a 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -17472,7 +17472,7 @@ njs_vm_value_test(njs_opts_t *opts, njs_stat_t *stat)
 {
     njs_vm_t      *vm;
     njs_int_t     ret;
-    njs_str_t     s, *script;
+    njs_str_t     s, *script, path;
     njs_uint_t    i;
     njs_bool_t    success;
     njs_stat_t    prev;
@@ -17564,7 +17564,17 @@ njs_vm_value_test(njs_opts_t *opts, njs_stat_t *stat)
             goto done;
         }
 
-        ret = njs_vm_value(vm, &tests[i].path, &vm->retval);
+        path = tests[i].path;
+
+        path.start = njs_mp_alloc(vm->mem_pool, path.length);
+        if (path.start == NULL) {
+            njs_printf("njs_mp_alloc() failed\n");
+            goto done;
+        }
+
+        memcpy(path.start, tests[i].path.start, path.length);
+
+        ret = njs_vm_value(vm, &path, &vm->retval);
 
         if (njs_vm_retval_string(vm, &s) != NJS_OK) {
             njs_printf("njs_vm_retval_string() failed\n");