From ec3d3e57fe6889fbc91adf85846abd2aeed9c03e Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Mon, 16 Dec 2019 15:18:51 +0300 Subject: [PATCH] Fixed stack-use-after-free in njs_value_property_set(). --- src/njs_object.h | 9 +++------ src/test/njs_unit_test.c | 8 ++++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/njs_object.h b/src/njs_object.h index 629f5a31..1d704a8c 100644 --- a/src/njs_object.h +++ b/src/njs_object.h @@ -204,18 +204,15 @@ njs_value_to_key(njs_vm_t *vm, njs_value_t *dst, njs_value_t *value) njs_inline njs_int_t -njs_key_string_get(njs_vm_t *vm, const njs_value_t *key, njs_str_t *str) +njs_key_string_get(njs_vm_t *vm, njs_value_t *key, njs_str_t *str) { - njs_int_t ret; - njs_value_t dst; + njs_int_t ret; if (njs_slow_path(njs_is_symbol(key))) { - ret = njs_symbol_to_string(vm, &dst, key); + ret = njs_symbol_to_string(vm, key, key); if (njs_slow_path(ret != NJS_OK)) { return ret; } - - key = &dst; } njs_string_get(key, str); diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index a7fc052e..80a92a4e 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -10475,6 +10475,14 @@ static njs_unit_test_t njs_test[] = "while(n--) o[Symbol()] = 'test'; o[''];"), njs_str("undefined") }, + { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); " + "obj[symA] = 2"), + njs_str("TypeError: Cannot assign to read-only property \"Symbol(A)\" of object") }, + + { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); " + "delete obj[symA]"), + njs_str("TypeError: Cannot delete property \"Symbol(A)\" of object") }, + { njs_str("[" " Object.prototype," " Symbol.prototype," -- 2.47.3