From 675049dc2ce07a06d5e6d65ab8664e49c7659d3a Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Thu, 14 Apr 2022 16:07:34 -0700 Subject: [PATCH] Fixed Response headers iteration in Fetch API. Previously, heap-use-after-free might occur when HTTP Response was received with more than 8 headers and headers iteration is used. The fix is not to assume that pointer to the beginning of the keys array never changes. The pointer may change when array is resized. The issue was introduced in 81040de6b085 (0.5.1). This closes #492 issue on Github. --- nginx/ngx_js_fetch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c index c88f5903..ba36f87c 100644 --- a/nginx/ngx_js_fetch.c +++ b/nginx/ngx_js_fetch.c @@ -2234,10 +2234,10 @@ ngx_response_js_ext_keys(njs_vm_t *vm, njs_value_t *value, njs_value_t *keys) length = 0; headers = http->headers.elts; - start = njs_vm_array_start(vm, keys); for (i = 0; i < http->headers.nelts; i++) { h = &headers[i]; + start = njs_vm_array_start(vm, keys); for (k = 0; k < length; k++) { njs_value_string_get(njs_argument(start, k), &hdr); -- 2.47.3