From: Dmitry Volyntsev Date: Mon, 21 Feb 2022 16:53:16 +0000 (+0000) Subject: Fixed allocation of large array literals. X-Git-Tag: 0.7.3~4 X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=f65981b0b8fcf02d69a40bc934803c25c9f607ab;p=njs.git Fixed allocation of large array literals. Previously, allocation of large array literals may result in null-pointer dereference. The reason is that njs_array_alloc() may return a slow array when size is large enough, but the instruction code assumes that array is always flat. The fix is to check fast_array flag before accessing array->start. This closes #473 issue on Github. --- diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c index ef0beb5e..ec478659 100644 --- a/src/njs_vmcode.c +++ b/src/njs_vmcode.c @@ -1055,14 +1055,16 @@ njs_vmcode_array(njs_vm_t *vm, u_char *pc) if (code->ctor) { /* Array of the form [,,,], [1,,]. */ - value = array->start; - length = array->length; - - do { - njs_set_invalid(value); - value++; - length--; - } while (length != 0); + if (array->object.fast_array) { + value = array->start; + length = array->length; + + do { + njs_set_invalid(value); + value++; + length--; + } while (length != 0); + } } else { /* Array of the form [], [,,1], [1,2,3]. */ diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index dc18a13b..ef5b3ca4 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -13154,6 +13154,10 @@ static njs_unit_test_t njs_test[] = { njs_str("(new Function('return 5' + '** 1'.repeat(2**13)))()"), njs_str("5") }, + { njs_str("var a = (new Function('return [' + ','.repeat(2**16) + ']'))();" + "njs.dump(a)"), + njs_str("[<65536 empty items>]") }, + { njs_str("(new Function('var a = 7; return a' + '= a'.repeat(2**13)))()"), njs_str("7") },