git.kaiwu.me - njs.git/commit

]> git.kaiwu.me - njs.git/commit

projects / njs.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: aa59521) | patch

author	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 15 Jun 2020 15:26:40 +0000 (15:26 +0000)
committer	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 15 Jun 2020 15:26:40 +0000 (15:26 +0000)
commit	5f6d38546a44889161a29cae58239454e0af0ece
tree	e04ced7c93ff1dfd1bcaa168a51083825e69d243	tree \| snapshot
parent	aa595210669d7525fa8518ec0edf99975ead71db	commit \| diff

Fixed potential memory corruption in njs_function_frame_invoke().

It is a bug to cast vm->top_frame which is (njs_native_frame_t *) type,
to (njs_frame_t *) in general context. The cast is allowed only for the
lambda frames.

The bug did not manifest itself previously because native frames were
allocated with NJS_NATIVE_FRAME_SIZE, which is sizeof(njs_value_t) aligned
size of njs_native_frame_t (on 64bit platform are 80 and 72 bytes
respectively). njs_frame_t contains njs_native_frame_t as a first field.
The frame->retval assignment for native frames resulted in 8 padding bytes
were used as a storage space for the retval field.

The bug becomes visible when the size of njs_native_frame_t changes.

The issue was introduced in 540f03725df2.

src/njs_function.c		diff \| blob \| history
src/njs_function.h		diff \| blob \| history
src/njs_promise.c		diff \| blob \| history
src/njs_vm.c		diff \| blob \| history
src/njs_vm.h		diff \| blob \| history
src/njs_vmcode.c		diff \| blob \| history

njs upstream