Handling int overflow in njs_array_alloc() on 32bit archs.

author Dmitry Volyntsev <xeioex@nginx.com>

Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)

committer Dmitry Volyntsev <xeioex@nginx.com>

Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)
author Dmitry Volyntsev <xeioex@nginx.com>
Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)
committer Dmitry Volyntsev <xeioex@nginx.com>
Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)
diff --git a/njs/njs_array.c b/njs/njs_array.c

index 028bb627732b70748ee3b0718713e724c42fd074..c11ca05ac5824e6e74708bea80107441df2850b6 100644 (file)
--- a/njs/njs_array.c
+++ b/njs/njs_array.c
@@ -109,7 +109,7 @@ static njs_ret_t njs_array_prototype_sort_continuation(njs_vm_t *vm,
  nxt_noinline njs_array_t *
  njs_array_alloc(njs_vm_t *vm, uint32_t length, uint32_t spare)
  {
-    size_t       size;
+    uint64_t     size;
      njs_array_t  *array;
  
      array = nxt_mem_cache_alloc(vm->mem_cache_pool, sizeof(njs_array_t));
@@ -117,9 +117,9 @@ njs_array_alloc(njs_vm_t *vm, uint32_t length, uint32_t spare)
          goto memory_error;
      }
  
-    size = (size_t) length + spare;
+    size = (uint64_t) length + spare;
  
-    if (nxt_slow_path(size * sizeof(njs_value_t) < size)) {
+    if (nxt_slow_path((size * sizeof(njs_value_t)) >= 0xffffffff)) {
          goto memory_error;
      }
author	Dmitry Volyntsev <xeioex@nginx.com>
	Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)
committer	Dmitry Volyntsev <xeioex@nginx.com>
	Fri, 19 Oct 2018 17:55:38 +0000 (20:55 +0300)