]> git.kaiwu.me - njs.git/commitdiff
projects / njs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8e2ae68)
Fixed njs_string_slice().
authorDmitry Volyntsev <xeioex@nginx.com>
Thu, 18 Jul 2019 18:12:25 +0000 (21:12 +0300)
committerDmitry Volyntsev <xeioex@nginx.com>
Thu, 18 Jul 2019 18:12:25 +0000 (21:12 +0300)
Previously, njs_string_slice() when slice->start == slice->string_length
may call njs_string_offset() with invalid index.

This might result in invalid memory access in njs_string_offset()
for native functions which use njs_string_slice():

    String.prototype.substring()

njs/njs_string.c patch | blob | history
njs/test/njs_unit_test.c patch | blob | history

diff --git a/njs/njs_string.c b/njs/njs_string.c
index 8031b70e107eb366f95d4b6812ca23355d2fe967..daf2d20f9b77b0a3b54ab125404fd3c6f3bcac82 100644 (file)
--- a/njs/njs_string.c
+++ b/njs/njs_string.c
@@ -1351,19 +1351,26 @@ njs_string_slice_string_prop(njs_string_prop_t *dst,
     } else {
         /* UTF-8 string. */
         end = start + string->size;
-        start = njs_string_offset(start, end, slice->start);
 
-        /* Evaluate size of the slice in bytes and ajdust length. */
-        p = start;
-        n = length;
+        if (slice->start < slice->string_length) {
+            start = njs_string_offset(start, end, slice->start);
 
-        while (n != 0 && p < end) {
-            p = nxt_utf8_next(p, end);
-            n--;
-        }
+            /* Evaluate size of the slice in bytes and adjust length. */
+            p = start;
+            n = length;
+
+            while (n != 0 && p < end) {
+                p = nxt_utf8_next(p, end);
+                n--;
+            }
 
-        size = p - start;
-        length -= n;
+            size = p - start;
+            length -= n;
+
+        } else {
+            length = 0;
+            size = 0;
+        }
     }
 
     dst->start = (u_char *) start;
diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c
index 00140ff4a9a24329fa62a761ad95c0af2eeadee1..7777d12eed389be9b6d21d622c55a03d88c11993 100644 (file)
--- a/njs/test/njs_unit_test.c
+++ b/njs/test/njs_unit_test.c
@@ -4825,6 +4825,9 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("'α'.repeat(32).substring(32)"),
       nxt_string("") },
 
+    { nxt_string("'α'.repeat(32).substring(32,32)"),
+      nxt_string("") },
+
     { nxt_string("'abcdefghijklmno'.slice(NaN, 5)"),
       nxt_string("abcde") },
 
njs upstream