From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Mon, 17 Feb 2020 13:18:40 +0000 (+0300)
Subject: Fixed potential integer-overflow in String.prototype.replace().
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=c45e5cee84c4c7bbd4a2d461ade05cfd11f112c2;p=njs.git

Fixed potential integer-overflow in String.prototype.replace().
---

diff --git a/src/njs_string.c b/src/njs_string.c
index 673bd4a2..8850a0b8 100644
--- a/src/njs_string.c
+++ b/src/njs_string.c
@@ -3672,10 +3672,16 @@ njs_string_replace_regexp_function(njs_vm_t *vm, njs_value_t *this,
     njs_value_t        *arguments;
     njs_string_prop_t  string;
 
+    if (njs_slow_path((n + 3) >= UINT32_MAX / sizeof(njs_value_t))) {
+        njs_memory_error(vm);
+        return NJS_ERROR;
+    }
+
     njs_set_invalid(&r->retval);
 
     arguments = njs_mp_alloc(vm->mem_pool, (n + 3) * sizeof(njs_value_t));
     if (njs_slow_path(arguments == NULL)) {
+        njs_memory_error(vm);
         return NJS_ERROR;
     }