From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Wed, 27 Apr 2022 23:31:00 +0000 (-0700)
Subject: Fixed Array.prototype.lastIndexOf() with unicode string as "this".
X-Git-Tag: 0.7.4~21
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=eafe4c7a326b163612f10861392622b5da5b1792;p=njs.git

Fixed Array.prototype.lastIndexOf() with unicode string as "this".

Previously, when lastIndexOf() was called with unicode string as "this"
argument and a negative "fromIndex" argument null-pointer dererence
might occur because njs_string_offset() was called with invalid index
value whereas njs_string_offset() should always be called with valid
index argument.

The fix is to verify that from index is valid.

This closes #482 issue on Github.
---

diff --git a/src/njs_iterator.c b/src/njs_iterator.c
index 90c3046f..043e4483 100644
--- a/src/njs_iterator.c
+++ b/src/njs_iterator.c
@@ -560,11 +560,14 @@ njs_object_iterate_reverse(njs_vm_t *vm, njs_iterator_args_t *args,
         } else {
             /* UTF-8 string. */
 
-            p = njs_string_offset(string_prop.start, end, from);
-            p = njs_utf8_next(p, end);
-
+            p = NULL;
             i = from + 1;
 
+            if (i > to) {
+                p = njs_string_offset(string_prop.start, end, from);
+                p = njs_utf8_next(p, end);
+            }
+
             while (i-- > to) {
                 pos = njs_utf8_prev(p);
 
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index def152aa..0b73c77b 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -5103,6 +5103,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("Array.prototype.lastIndexOf.call({0:'undefined', length:0}, 'undefined')"),
       njs_str("-1") },
 
+    { njs_str("[1,0,-1,-2].map(v => Array.prototype.lastIndexOf.call('Ф', 'Ф', v))"),
+      njs_str("0,0,0,-1") },
+
     { njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"),
       njs_str("-1") },