]> git.kaiwu.me - njs.git/commitdiff
projects / njs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dea214f)
Fixed njs_array_convert_to_slow_array().
authorDmitry Volyntsev <xeioex@nginx.com>
Sat, 11 Jun 2022 07:15:49 +0000 (00:15 -0700)
committerDmitry Volyntsev <xeioex@nginx.com>
Sat, 11 Jun 2022 07:15:49 +0000 (00:15 -0700)
Previously, the function might free invalid pointer, as array->start is
not always points to the beginning of allocated memory block.

This closes #540 issue on Github.

src/njs_array.c patch | blob | history
src/test/njs_unit_test.c patch | blob | history

diff --git a/src/njs_array.c b/src/njs_array.c
index 6691d80073c9a9f042c7144bfacc662fcc5b6cf7..a973f30ab9b54cae646b44f5c0dcbf82735a480d 100644 (file)
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -165,7 +165,7 @@ njs_array_convert_to_slow_array(njs_vm_t *vm, njs_array_t *array)
 
     /* GC: release value. */
 
-    njs_mp_free(vm->mem_pool, array->start);
+    njs_mp_free(vm->mem_pool, array->data);
     array->start = NULL;
 
     return NJS_OK;
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 46197cd2960ff22bae4412baa867e735e2fb092e..d338c79f447f903c81cb663839ab000792dcb6a5 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4743,6 +4743,12 @@ static njs_unit_test_t  njs_test[] =
               "a.shift(); a"),
       njs_str("2,3") },
 
+    { njs_str("var arr = [1,2];"
+              "arr.shift();"
+              "arr[2**20] = 3;"
+              "arr[2**20]"),
+      njs_str("3") },
+
     { njs_str("var a = []; a.splice()"),
       njs_str("") },
 
njs upstream