From f65981b0b8fcf02d69a40bc934803c25c9f607ab Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Mon, 21 Feb 2022 16:53:16 +0000 Subject: [PATCH] Fixed allocation of large array literals. Previously, allocation of large array literals may result in null-pointer dereference. The reason is that njs_array_alloc() may return a slow array when size is large enough, but the instruction code assumes that array is always flat. The fix is to check fast_array flag before accessing array->start. This closes #473 issue on Github. --- src/njs_vmcode.c | 18 ++++++++++-------- src/test/njs_unit_test.c | 4 ++++ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c index ef0beb5e..ec478659 100644 --- a/src/njs_vmcode.c +++ b/src/njs_vmcode.c @@ -1055,14 +1055,16 @@ njs_vmcode_array(njs_vm_t *vm, u_char *pc) if (code->ctor) { /* Array of the form [,,,], [1,,]. */ - value = array->start; - length = array->length; - - do { - njs_set_invalid(value); - value++; - length--; - } while (length != 0); + if (array->object.fast_array) { + value = array->start; + length = array->length; + + do { + njs_set_invalid(value); + value++; + length--; + } while (length != 0); + } } else { /* Array of the form [], [,,1], [1,2,3]. */ diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index dc18a13b..ef5b3ca4 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -13154,6 +13154,10 @@ static njs_unit_test_t njs_test[] = { njs_str("(new Function('return 5' + '** 1'.repeat(2**13)))()"), njs_str("5") }, + { njs_str("var a = (new Function('return [' + ','.repeat(2**16) + ']'))();" + "njs.dump(a)"), + njs_str("[<65536 empty items>]") }, + { njs_str("(new Function('var a = 7; return a' + '= a'.repeat(2**13)))()"), njs_str("7") }, -- 2.47.3