From: Dmitry Volyntsev Date: Thu, 14 Apr 2022 23:07:34 +0000 (-0700) Subject: Fixed Response headers iteration in Fetch API. X-Git-Tag: 0.7.4~26 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=675049dc2ce07a06d5e6d65ab8664e49c7659d3a;p=njs.git Fixed Response headers iteration in Fetch API. Previously, heap-use-after-free might occur when HTTP Response was received with more than 8 headers and headers iteration is used. The fix is not to assume that pointer to the beginning of the keys array never changes. The pointer may change when array is resized. The issue was introduced in 81040de6b085 (0.5.1). This closes #492 issue on Github. --- diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c index c88f5903..ba36f87c 100644 --- a/nginx/ngx_js_fetch.c +++ b/nginx/ngx_js_fetch.c @@ -2234,10 +2234,10 @@ ngx_response_js_ext_keys(njs_vm_t *vm, njs_value_t *value, njs_value_t *keys) length = 0; headers = http->headers.elts; - start = njs_vm_array_start(vm, keys); for (i = 0; i < http->headers.nelts; i++) { h = &headers[i]; + start = njs_vm_array_start(vm, keys); for (k = 0; k < length; k++) { njs_value_string_get(njs_argument(start, k), &hdr);