From e14c69be95583d7ef8636586fa0e8a20cbe715a2 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Thu, 18 Jul 2019 21:12:25 +0300 Subject: [PATCH] Fixed njs_string_slice(). Previously, njs_string_slice() when slice->start == slice->string_length may call njs_string_offset() with invalid index. This might result in invalid memory access in njs_string_offset() for native functions which use njs_string_slice(): String.prototype.substring() --- njs/njs_string.c | 27 +++++++++++++++++---------- njs/test/njs_unit_test.c | 3 +++ 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/njs/njs_string.c b/njs/njs_string.c index 8031b70e..daf2d20f 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -1351,19 +1351,26 @@ njs_string_slice_string_prop(njs_string_prop_t *dst, } else { /* UTF-8 string. */ end = start + string->size; - start = njs_string_offset(start, end, slice->start); - /* Evaluate size of the slice in bytes and ajdust length. */ - p = start; - n = length; + if (slice->start < slice->string_length) { + start = njs_string_offset(start, end, slice->start); - while (n != 0 && p < end) { - p = nxt_utf8_next(p, end); - n--; - } + /* Evaluate size of the slice in bytes and adjust length. */ + p = start; + n = length; + + while (n != 0 && p < end) { + p = nxt_utf8_next(p, end); + n--; + } - size = p - start; - length -= n; + size = p - start; + length -= n; + + } else { + length = 0; + size = 0; + } } dst->start = (u_char *) start; diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 00140ff4..7777d12e 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -4825,6 +4825,9 @@ static njs_unit_test_t njs_test[] = { nxt_string("'α'.repeat(32).substring(32)"), nxt_string("") }, + { nxt_string("'α'.repeat(32).substring(32,32)"), + nxt_string("") }, + { nxt_string("'abcdefghijklmno'.slice(NaN, 5)"), nxt_string("abcde") }, -- 2.47.3