Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Previously, when `from` argument was provided heap-buffer-overflow might
happen due to lack of boundary check. `to = njs_min(to, length)`
statement was also removed because it has no effect, `to` is
equal to `length` here.

The issue was introduced in 5d15a8d6 (0.8.5).

This closes #794 issue on Github.

diff --git a/src/njs_buffer.c b/src/njs_buffer.c
index 07054bf053c1c3a12e7d926cfc4e73c6b1262f83..0bd5b8968e485aa54b5921527fc143223625dc31 100644 (file)
--- a/src/njs_buffer.c
+++ b/src/njs_buffer.c
@@ -2228,7 +2228,10 @@ encoding:
 
         } else {
             to -= str.length - 1;
-            to = njs_min(to, length);
+
+            if (from > to) {
+                goto done;
+            }
         }
 
         for (i = from; i != to; i += increment) {

diff --git a/src/qjs_buffer.c b/src/qjs_buffer.c
index 2487c6339bb664e04ca5ffd8b25b63ec814d4766..5def5e6344ef301af08dc41d47d3a8b836c2a981 100644 (file)
--- a/src/qjs_buffer.c
+++ b/src/qjs_buffer.c
@@ -1098,7 +1098,10 @@ encoding:
 
     } else {
         to -= str.length - 1;
-        to = njs_min(to, length);
+
+        if (from > to) {
+            goto done;
+        }
     }
 
     for (i = from; i != to; i += increment) {
@@ -1108,6 +1111,8 @@ encoding:
         }
     }
 
+done:
+
     JS_FreeValue(ctx, buffer);
     return JS_NewInt32(ctx, -1);
 }

diff --git a/test/buffer.t.js b/test/buffer.t.js
index 55227b3a32d4de8d2f1aee08f2bad838155db852..f47c62f7efa31f9b2dee24c5a7eaded92377be31 100644 (file)
--- a/test/buffer.t.js
+++ b/test/buffer.t.js
@@ -473,6 +473,7 @@ let indexOf_tsuite = {
         { buf: Buffer.from('abcdef'), value: 'abc', offset: 1, expected: -1 },
         { buf: Buffer.from('abcdef'), value: 'def', offset: 1, expected: 3 },
         { buf: Buffer.from('abcdef'), value: 'def', offset: -3, expected: 3 },
+        { buf: Buffer.from('abcdef'), value: 'efgh', offset: 4, expected: -1 },
         { buf: Buffer.from('abcdef'), value: '626364', encoding: 'hex', expected: 1 },
         { buf: Buffer.from('abcdef'), value: '626364', encoding: 'utf-128',
           exception: 'TypeError: "utf-128" encoding is not supported' },