Fixed potential integer-overflow in String.prototype.replace().

author Dmitry Volyntsev <xeioex@nginx.com>

Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)

committer Dmitry Volyntsev <xeioex@nginx.com>

Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)
author Dmitry Volyntsev <xeioex@nginx.com>
Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)
committer Dmitry Volyntsev <xeioex@nginx.com>
Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)
diff --git a/src/njs_string.c b/src/njs_string.c

index 673bd4a2e865b0b65f2c4816c0907f08c6bda833..8850a0b8122b2955c5946c724dd814cd339af991 100644 (file)
--- a/src/njs_string.c
+++ b/src/njs_string.c
@@ -3672,10 +3672,16 @@ njs_string_replace_regexp_function(njs_vm_t *vm, njs_value_t *this,
      njs_value_t        *arguments;
      njs_string_prop_t  string;
  
+    if (njs_slow_path((n + 3) >= UINT32_MAX / sizeof(njs_value_t))) {
+        njs_memory_error(vm);
+        return NJS_ERROR;
+    }
+
      njs_set_invalid(&r->retval);
  
      arguments = njs_mp_alloc(vm->mem_pool, (n + 3) * sizeof(njs_value_t));
      if (njs_slow_path(arguments == NULL)) {
+        njs_memory_error(vm);
          return NJS_ERROR;
      }
author	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)
committer	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 17 Feb 2020 13:18:40 +0000 (16:18 +0300)