From 84acdb8edbed8fbf3c9e47b55320fae636391968 Mon Sep 17 00:00:00 2001 From: Alexander Borisov Date: Thu, 24 Oct 2019 16:15:01 +0300 Subject: [PATCH] Fixed heap-buffer-overflow in njs_array_reverse_iterator() function. Affected JS functions in Array.prototype: lastIndexOf, reduceRight. --- src/njs_array.c | 3 ++- src/test/njs_unit_test.c | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/njs_array.c b/src/njs_array.c index 8eb333cb..8017fb69 100644 --- a/src/njs_array.c +++ b/src/njs_array.c @@ -1594,7 +1594,8 @@ njs_array_reverse_iterator(njs_vm_t *vm, njs_array_iterator_args_t *args, } else { /* UTF-8 string. */ - p = njs_string_offset(string_prop.start, end, from + 1); + p = njs_string_offset(string_prop.start, end, from); + p = njs_utf8_next(p, end); i = from + 1; diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index fecd3d4c..67d35032 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -4407,6 +4407,17 @@ static njs_unit_test_t njs_test[] = "Array.prototype.lastIndexOf.call(o); i"), njs_str("1") }, + { njs_str("[''].lastIndexOf.call('00000000000000000000000000000а00')"), + njs_str("-1") }, + + { njs_str("var o = 'ГВБА';" + "Array.prototype.lastIndexOf.call(o, 'Г', 0)"), + njs_str("0") }, + + { njs_str("var o = 'ГВБА';" + "Array.prototype.lastIndexOf.call(o, 'Г', 4)"), + njs_str("0") }, + { njs_str("[1,2,3,4].includes()"), njs_str("false") }, @@ -5029,6 +5040,11 @@ static njs_unit_test_t njs_test[] = "catch (e) {i += '; ' + e} i"), njs_str("1; TypeError: unexpected iterator arguments") }, + { njs_str("var m = [];" + "[''].reduceRight.call('00000000000000000000000000000а00', (p, v, i, a) => {m.push(v)});" + "m.join('')"), + njs_str("0а00000000000000000000000000000") }, + { njs_str("var a = ['1','2','3','4','5','6']; a.sort()"), njs_str("1,2,3,4,5,6") }, -- 2.47.3