Fixed Response headers iteration in Fetch API.

Previously, heap-use-after-free might occur when HTTP Response was
received with more than 8 headers and headers iteration is used.

The fix is not to assume that pointer to the beginning of the keys array
never changes.  The pointer may change when array is resized.

The issue was introduced in 81040de6b085 (0.5.1).

This closes #492 issue on Github.

diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c
index c88f59036c0583f50bf1147170f127cf30693af1..ba36f87c373cbea9b3dfdfbd2625fb2f7a4b91d8 100644 (file)
--- a/nginx/ngx_js_fetch.c
+++ b/nginx/ngx_js_fetch.c
@@ -2234,10 +2234,10 @@ ngx_response_js_ext_keys(njs_vm_t *vm, njs_value_t *value, njs_value_t *keys)
 
     length = 0;
     headers = http->headers.elts;
-    start = njs_vm_array_start(vm, keys);
 
     for (i = 0; i < http->headers.nelts; i++) {
         h = &headers[i];
+        start = njs_vm_array_start(vm, keys);
 
         for (k = 0; k < length; k++) {
             njs_value_string_get(njs_argument(start, k), &hdr);