From 806caa00550475dd14ddd65f256381a0d0d36e53 Mon Sep 17 00:00:00 2001 From: Alexander Borisov Date: Tue, 17 Sep 2019 11:29:10 +0300 Subject: [PATCH] Fixed stack-use-after-scope in Array.prototype.map(). In the njs_array_iterator() an args.value is replaced to value on stack for non-object strings. --- src/njs_array.c | 6 +++--- src/test/njs_unit_test.c | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/njs_array.c b/src/njs_array.c index 31bcf661..05630a91 100644 --- a/src/njs_array.c +++ b/src/njs_array.c @@ -1917,12 +1917,12 @@ njs_array_prototype_map(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, return ret; } - if (njs_is_array(iargs.value) - && njs_object_hash_is_empty(iargs.value)) + if (njs_is_array(&args[0]) + && njs_object_hash_is_empty(&args[0])) { array = iargs.array; - for (i = njs_array_len(iargs.value); i < length; i++) { + for (i = njs_array_len(&args[0]); i < length; i++) { njs_set_invalid(&array->start[i]); } } diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index a077d140..a348ba18 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -4506,6 +4506,9 @@ static njs_unit_test_t njs_test[] = ".every(x => x === true)"), njs_str("true") }, + { njs_str("Array.prototype.map.call('abcdef', (val, idx, obj) => {return val === 100})"), + njs_str("false,false,false,false,false,false") }, + { njs_str("var a = [];" "a.reduce(function(p, v, i, a) { return p + v })"), njs_str("TypeError: invalid index") }, -- 2.47.3