From 7b3fba59f96e51ddf602222958ec855fba1e4383 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Sat, 11 Jun 2022 00:15:49 -0700
Subject: [PATCH] Fixed njs_array_convert_to_slow_array().

Previously, the function might free invalid pointer, as array->start is
not always points to the beginning of allocated memory block.

This closes #540 issue on Github.
---
 src/njs_array.c          | 2 +-
 src/test/njs_unit_test.c | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/njs_array.c b/src/njs_array.c
index 6691d800..a973f30a 100644
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -165,7 +165,7 @@ njs_array_convert_to_slow_array(njs_vm_t *vm, njs_array_t *array)
 
     /* GC: release value. */
 
-    njs_mp_free(vm->mem_pool, array->start);
+    njs_mp_free(vm->mem_pool, array->data);
     array->start = NULL;
 
     return NJS_OK;
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 46197cd2..d338c79f 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4743,6 +4743,12 @@ static njs_unit_test_t  njs_test[] =
               "a.shift(); a"),
       njs_str("2,3") },
 
+    { njs_str("var arr = [1,2];"
+              "arr.shift();"
+              "arr[2**20] = 3;"
+              "arr[2**20]"),
+      njs_str("3") },
+
     { njs_str("var a = []; a.splice()"),
       njs_str("") },
 
-- 
2.47.3