From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Fri, 10 Apr 2020 11:15:12 +0000 (+0000)
Subject: Fixed potential heap-buffer-overflow in njs_vm_value().
X-Git-Tag: 0.4.0~12
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=10cc690613e2bfc7c09048bce9f15c7548e759a4;p=njs.git

Fixed potential heap-buffer-overflow in njs_vm_value().

The issue was introduced in 7ccb8b32cc02.
---

diff --git a/src/njs_vm.c b/src/njs_vm.c
index 4d98e402..f3551941 100644
--- a/src/njs_vm.c
+++ b/src/njs_vm.c
@@ -593,7 +593,7 @@ njs_vm_value(njs_vm_t *vm, const njs_str_t *path, njs_value_t *retval)
     njs_set_object(&value, &vm->global_object);
 
     for ( ;; ) {
-        p = njs_strchr(start, '.');
+        p = njs_strlchr(start, end, '.');
 
         size = ((p != NULL) ? p : end) - start;
         if (njs_slow_path(size == 0)) {
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 37dd63a7..8e0a0013 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -17472,7 +17472,7 @@ njs_vm_value_test(njs_opts_t *opts, njs_stat_t *stat)
 {
     njs_vm_t      *vm;
     njs_int_t     ret;
-    njs_str_t     s, *script;
+    njs_str_t     s, *script, path;
     njs_uint_t    i;
     njs_bool_t    success;
     njs_stat_t    prev;
@@ -17564,7 +17564,17 @@ njs_vm_value_test(njs_opts_t *opts, njs_stat_t *stat)
             goto done;
         }
 
-        ret = njs_vm_value(vm, &tests[i].path, &vm->retval);
+        path = tests[i].path;
+
+        path.start = njs_mp_alloc(vm->mem_pool, path.length);
+        if (path.start == NULL) {
+            njs_printf("njs_mp_alloc() failed\n");
+            goto done;
+        }
+
+        memcpy(path.start, tests[i].path.start, path.length);
+
+        ret = njs_vm_value(vm, &path, &vm->retval);
 
         if (njs_vm_retval_string(vm, &s) != NJS_OK) {
             njs_printf("njs_vm_retval_string() failed\n");