From c45e5cee84c4c7bbd4a2d461ade05cfd11f112c2 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Mon, 17 Feb 2020 16:18:40 +0300
Subject: [PATCH] Fixed potential integer-overflow in
 String.prototype.replace().

---
 src/njs_string.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/njs_string.c b/src/njs_string.c
index 673bd4a2..8850a0b8 100644
--- a/src/njs_string.c
+++ b/src/njs_string.c
@@ -3672,10 +3672,16 @@ njs_string_replace_regexp_function(njs_vm_t *vm, njs_value_t *this,
     njs_value_t        *arguments;
     njs_string_prop_t  string;
 
+    if (njs_slow_path((n + 3) >= UINT32_MAX / sizeof(njs_value_t))) {
+        njs_memory_error(vm);
+        return NJS_ERROR;
+    }
+
     njs_set_invalid(&r->retval);
 
     arguments = njs_mp_alloc(vm->mem_pool, (n + 3) * sizeof(njs_value_t));
     if (njs_slow_path(arguments == NULL)) {
+        njs_memory_error(vm);
         return NJS_ERROR;
     }
 
-- 
2.47.3