Fixed heap-buffer-overflow in String.prototype.lastIndexOf().

This closes #151 issue on Github.

diff --git a/njs/njs_string.c b/njs/njs_string.c
index f291ef963f07e254768481fd8dfcf0d7d3e8638b..3d4ea80d2d64c637a8982e7e0dec38dc3631bbca 100644 (file)
--- a/njs/njs_string.c
+++ b/njs/njs_string.c
@@ -1831,8 +1831,13 @@ njs_string_prototype_last_index_of(njs_vm_t *vm, njs_value_t *args,
         }
     }
 
-    if (index > length) {
-        index = length;
+    if (search_length == 0) {
+        index = nxt_min(index, length);
+        goto done;
+    }
+
+    if (index >= length) {
+        index = length - 1;
     }
 
     if (string.size == (size_t) length) {

diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c
index 28ec41f5b6756c936401313e8f93380557935178..8730f8a7516cf478fea316ec9f004ded23946b88 100644 (file)
--- a/njs/test/njs_unit_test.c
+++ b/njs/test/njs_unit_test.c
@@ -5172,6 +5172,16 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("''.lastIndexOf(undefined)"),
       nxt_string("-1") },
 
+    { nxt_string("'β'.repeat(32).lastIndexOf('β')"),
+      nxt_string("31") },
+
+    { nxt_string("'β'.repeat(32).lastIndexOf``"),
+      nxt_string("32") },
+
+    { nxt_string("JSON.stringify(Array(24).fill(true).map((v,i) => 'abc abc ab abc абвгдежзab'.lastIndexOf('abc', i)))"
+                 "== JSON.stringify([].concat(Array(4).fill(0), Array(7).fill(4), Array(13).fill(11)))"),
+      nxt_string("true") },
+
     { nxt_string("''.includes('')"),
       nxt_string("true") },