Fixed stack-use-after-scope in Array.prototype.map().

In the njs_array_iterator() an args.value is replaced to value on stack
for non-object strings.

diff --git a/src/njs_array.c b/src/njs_array.c
index 31bcf6612e390a6f1ef6317b074b1284c592599c..05630a9122d0e0539c529394e0d830671c4cb200 100644 (file)
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -1917,12 +1917,12 @@ njs_array_prototype_map(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
             return ret;
         }
 
-        if (njs_is_array(iargs.value)
-            && njs_object_hash_is_empty(iargs.value))
+        if (njs_is_array(&args[0])
+            && njs_object_hash_is_empty(&args[0]))
         {
             array = iargs.array;
 
-            for (i = njs_array_len(iargs.value); i < length; i++) {
+            for (i = njs_array_len(&args[0]); i < length; i++) {
                 njs_set_invalid(&array->start[i]);
             }
         }

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index a077d1407e6c085d271124dda58bbfa5a4cd65f8..a348ba1891731c60bde3b7aebc3467fb9601eb38 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4506,6 +4506,9 @@ static njs_unit_test_t  njs_test[] =
               ".every(x => x === true)"),
       njs_str("true") },
 
+    { njs_str("Array.prototype.map.call('abcdef', (val, idx, obj) => {return val === 100})"),
+      njs_str("false,false,false,false,false,false") },
+
     { njs_str("var a = [];"
                  "a.reduce(function(p, v, i, a) { return p + v })"),
       njs_str("TypeError: invalid index") },