From: Dmitry Volyntsev Date: Fri, 24 May 2024 05:50:34 +0000 (-0700) Subject: Fetch: fixed heap-buffer-overflow in Headers.get(). X-Git-Tag: 0.8.5~20 X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=refs%2Fheads%2Fbranches%2Fdefault;p=njs.git Fetch: fixed heap-buffer-overflow in Headers.get(). Previously, when more than one header with the same name added to a Headers object and Headers.get() was used to get the the duplicate header heap-buffer-overflow occured. The overflow occurred due to an incorrect calculation of the combined header value's length. The issue was introduced in c43261bad627 (0.7.10). --- diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c index feef457c..cea80469 100644 --- a/nginx/ngx_js_fetch.c +++ b/nginx/ngx_js_fetch.c @@ -3181,9 +3181,8 @@ static njs_int_t ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name, njs_value_t *retval, njs_bool_t as_array) { - u_char *data, *p; - size_t len; njs_int_t rc; + njs_chb_t chain; ngx_uint_t i; ngx_js_tb_elt_t *h, *ph; ngx_list_part_t *part; @@ -3254,36 +3253,26 @@ ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name, return NJS_DECLINED; } - len = 0; - h = ph; - - while (ph != NULL) { - len = ph->value.len + njs_length(", "); - ph = ph->next; - } - - len -= njs_length(", "); - - data = njs_mp_alloc(njs_vm_memory_pool(vm), len); - if (data == NULL) { - njs_vm_memory_error(vm); - return NJS_ERROR; - } + NJS_CHB_MP_INIT(&chain, vm); - p = data; + h = ph; for ( ;; ) { - p = ngx_cpymem(p, h->value.data, h->value.len); + njs_chb_append(&chain, h->value.data, h->value.len); if (h->next == NULL) { break; } - *p++ = ','; *p++ = ' '; + njs_chb_append_literal(&chain, ", "); h = h->next; } - return njs_vm_value_string_create(vm, retval, data, p - data); + rc = njs_vm_value_string_create_chb(vm, retval, &chain); + + njs_chb_destroy(&chain); + + return rc; }