Fixed heap-buffer-overflow in njs_array_reverse_iterator() function.

Affected JS functions in Array.prototype: lastIndexOf, reduceRight.

diff --git a/src/njs_array.c b/src/njs_array.c
index 8eb333cb5936fe8489ca812be0ab714e6eec66ff..8017fb69992f937bc73de7b3b4bf9563f86b98d8 100644 (file)
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -1594,7 +1594,8 @@ njs_array_reverse_iterator(njs_vm_t *vm, njs_array_iterator_args_t *args,
         } else {
             /* UTF-8 string. */
 
-            p = njs_string_offset(string_prop.start, end, from + 1);
+            p = njs_string_offset(string_prop.start, end, from);
+            p = njs_utf8_next(p, end);
 
             i = from + 1;
 

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index fecd3d4c55e0ae39c5f8f7fdff8cd2bdb1605d5f..67d3503296af69be873cdf29f8f456f7e87bb6fe 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4407,6 +4407,17 @@ static njs_unit_test_t  njs_test[] =
               "Array.prototype.lastIndexOf.call(o); i"),
       njs_str("1") },
 
+    { njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"),
+      njs_str("-1") },
+
+    { njs_str("var o = 'ГВБА';"
+              "Array.prototype.lastIndexOf.call(o, 'Г', 0)"),
+      njs_str("0") },
+
+    { njs_str("var o = 'ГВБА';"
+              "Array.prototype.lastIndexOf.call(o, 'Г', 4)"),
+      njs_str("0") },
+
     { njs_str("[1,2,3,4].includes()"),
       njs_str("false") },
 
@@ -5029,6 +5040,11 @@ static njs_unit_test_t  njs_test[] =
               "catch (e) {i += '; ' + e} i"),
       njs_str("1; TypeError: unexpected iterator arguments") },
 
+    { njs_str("var m = [];"
+              "[''].reduceRight.call('00000000000000000000000000000а00', (p, v, i, a) => {m.push(v)});"
+              "m.join('')"),
+      njs_str("0а00000000000000000000000000000") },
+
     { njs_str("var a = ['1','2','3','4','5','6']; a.sort()"),
       njs_str("1,2,3,4,5,6") },