Fixed heap-buffer-overflow in String.prototype.split().

diff --git a/njs/njs_string.c b/njs/njs_string.c
index ed8d36b1f87f165c7995496381124b004050cb07..67c20612a21a51f04dbbef68b24a945cb891241c 100644 (file)
--- a/njs/njs_string.c
+++ b/njs/njs_string.c
@@ -2726,7 +2726,7 @@ njs_string_prototype_split(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
     uint32_t              limit;
     njs_utf8_t            utf8;
     njs_array_t           *array;
-    const u_char          *p, *start, *next, *end;
+    const u_char          *p, *start, *next, *last, *end;
     njs_regexp_utf8_t     type;
     njs_string_prop_t     string, split;
     njs_regexp_pattern_t  *pattern;
@@ -2778,14 +2778,19 @@ njs_string_prototype_split(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
 
             start = string.start;
             end = string.start + string.size;
+            last = end - split.size;
 
             do {
-                for (p = start; p < end; p++) {
+                for (p = start; p <= last; p++) {
                     if (memcmp(p, split.start, split.size) == 0) {
-                        break;
+                        goto found;
                     }
                 }
 
+                p = end;
+
+found:
+
                 next = p + split.size;
 
                 /* Empty split string. */

diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c
index f2fe56a53b47182a4a68e649b14be33a9e9bbced..6a776d17c6ca24b53fec134ff9635492587508df 100644 (file)
--- a/njs/test/njs_unit_test.c
+++ b/njs/test/njs_unit_test.c
@@ -5096,6 +5096,9 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("'囲α碁α織'.split('α')"),
       nxt_string("囲,碁,織") },
 
+    { nxt_string("'a'.repeat(16).split('a'.repeat(15))"),
+      nxt_string(",a") },
+
     { nxt_string("('α'+'β'.repeat(33)).repeat(2).split('α')[1][32]"),
       nxt_string("β") },