From: Alexander Borisov Date: Tue, 21 May 2019 17:45:42 +0000 (+0300) Subject: Fixed integer-overflow in String.prototype.concat(). X-Git-Tag: 0.3.3~40 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=611e08a38747e9ca79d5311061fba2a4338528c7;p=njs.git Fixed integer-overflow in String.prototype.concat(). This closes #159 issue on GitHub. --- diff --git a/njs/njs_string.c b/njs/njs_string.c index a3a3d74f..d6260794 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -181,12 +181,17 @@ njs_string_new(njs_vm_t *vm, njs_value_t *value, const u_char *start, nxt_noinline u_char * -njs_string_alloc(njs_vm_t *vm, njs_value_t *value, uint32_t size, - uint32_t length) +njs_string_alloc(njs_vm_t *vm, njs_value_t *value, uint64_t size, + uint64_t length) { uint32_t total, map_offset, *map; njs_string_t *string; + if (nxt_slow_path(size > NJS_STRING_MAX_LENGTH)) { + njs_range_error(vm, "invalid string length"); + return NULL; + } + value->type = NJS_STRING; njs_string_truth(value, size); @@ -844,7 +849,7 @@ njs_string_prototype_concat(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { u_char *p, *start; - size_t size, length, mask; + uint64_t size, length, mask; nxt_uint_t i; njs_string_prop_t string; diff --git a/njs/njs_string.h b/njs/njs_string.h index bf227d91..1f621ca7 100644 --- a/njs/njs_string.h +++ b/njs/njs_string.h @@ -145,8 +145,8 @@ njs_string_length(njs_value_t *string) njs_ret_t njs_string_set(njs_vm_t *vm, njs_value_t *value, const u_char *start, uint32_t size); -u_char *njs_string_alloc(njs_vm_t *vm, njs_value_t *value, uint32_t size, - uint32_t length); +u_char *njs_string_alloc(njs_vm_t *vm, njs_value_t *value, uint64_t size, + uint64_t length); njs_ret_t njs_string_new(njs_vm_t *vm, njs_value_t *value, const u_char *start, uint32_t size, uint32_t length); njs_ret_t njs_string_hex(njs_vm_t *vm, njs_value_t *value, diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 60b214e7..c0da26c9 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -4620,6 +4620,11 @@ static njs_unit_test_t njs_test[] = { nxt_string("'A'.repeat(16).toBytes() === 'A'.repeat(16)"), nxt_string("true") }, + { nxt_string("var s = 'x'.repeat(2**10).repeat(2**14);" + "var a = Array(200).fill(s);" + "String.prototype.concat.apply(s, a.slice(1))"), + nxt_string("RangeError: invalid string length") }, + { nxt_string("var a = 'abcdefgh'; a.substr(3, 15)"), nxt_string("defgh") },