From 6886970b7925c521dc7e835b1a3f2585b7190748 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Tue, 28 Jun 2022 22:36:38 -0700 Subject: [PATCH] Catching in runtime invalid JUMP offsets at FINALLY instruction. --- src/njs_vmcode.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c index 0f851ea5..84b8b923 100644 --- a/src/njs_vmcode.c +++ b/src/njs_vmcode.c @@ -2122,6 +2122,7 @@ njs_vmcode_finally(njs_vm_t *vm, njs_value_t *invld, njs_value_t *retval, u_char *pc) { njs_value_t *exception_value, *exit_value; + njs_jump_off_t offset; njs_vmcode_finally_t *finally; exception_value = njs_scope_value(vm, (njs_index_t) retval); @@ -2148,9 +2149,19 @@ njs_vmcode_finally(njs_vm_t *vm, njs_value_t *invld, njs_value_t *retval, return njs_vmcode_return(vm, NULL, exit_value); } else if (njs_number(exit_value) != 0) { - return (njs_jump_off_t) (njs_number(exit_value) > 0) - ? finally->break_offset - : finally->continue_offset; + offset = (njs_number(exit_value) > 0) ? finally->break_offset + : finally->continue_offset; + + if (njs_slow_path(offset + < (njs_jump_off_t) sizeof(njs_vmcode_finally_t))) + { + njs_internal_error(vm, "unset %s offset for FINALLY block", + (njs_number(exit_value) > 0) ? "exit" + : "continuaion"); + return NJS_ERROR; + } + + return offset; } return sizeof(njs_vmcode_finally_t); -- 2.47.3