Previously, the function had two issues:
* array->start was referenced without checking for fast array flag
* the created arguments list was not sanity-checked for its length,
which can be very large.
The fix is to remove micro-optimization for arrays and introduce limit
size for arguments list.
This closes #449 issue in Github.
if (njs_is_null_or_undefined(arr_like)) {
length = 0;
-
- goto activate;
-
- } else if (njs_is_array(arr_like)) {
- arr = arr_like->data.u.array;
-
- args = arr->start;
- length = arr->length;
-
goto activate;
+ }
- } else if (njs_slow_path(!njs_is_object(arr_like))) {
+ if (njs_slow_path(!njs_is_object(arr_like))) {
njs_type_error(vm, "second argument is not an array-like object");
return NJS_ERROR;
}
return ret;
}
+ if (njs_slow_path(length > 1024)) {
+ njs_internal_error(vm, "argument list is too long");
+ return NJS_ERROR;
+ }
+
arr = njs_array_alloc(vm, 1, length, NJS_ARRAY_SPARE);
if (njs_slow_path(arr == NULL)) {
return NJS_ERROR;
"f.apply(123, {})"),
njs_str("123") },
+ { njs_str("(function(index, ...rest){ return rest[index];})"
+ ".apply({}, [1022].concat(Array(1023).fill(1).map((v,i)=>i.toString(16))))"),
+ njs_str("3fe") },
+
{ njs_str("String.prototype.concat.apply('a', "
"{length:2, 0:{toString:function() {return 'b'}}, 1:'c'})"),
njs_str("abc") },
projects / njs.git / commitdiff