From: Dmitry Volyntsev Date: Fri, 22 Feb 2019 17:33:31 +0000 (+0300) Subject: Fixed heap-buffer-overflow in String.prototype.split(). X-Git-Tag: 0.2.8~7 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=ae2530ac531b39124e84e7f62c7839b60d32b854;p=njs.git Fixed heap-buffer-overflow in String.prototype.split(). --- diff --git a/njs/njs_string.c b/njs/njs_string.c index ed8d36b1..67c20612 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -2726,7 +2726,7 @@ njs_string_prototype_split(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, uint32_t limit; njs_utf8_t utf8; njs_array_t *array; - const u_char *p, *start, *next, *end; + const u_char *p, *start, *next, *last, *end; njs_regexp_utf8_t type; njs_string_prop_t string, split; njs_regexp_pattern_t *pattern; @@ -2778,14 +2778,19 @@ njs_string_prototype_split(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, start = string.start; end = string.start + string.size; + last = end - split.size; do { - for (p = start; p < end; p++) { + for (p = start; p <= last; p++) { if (memcmp(p, split.start, split.size) == 0) { - break; + goto found; } } + p = end; + +found: + next = p + split.size; /* Empty split string. */ diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index f2fe56a5..6a776d17 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -5096,6 +5096,9 @@ static njs_unit_test_t njs_test[] = { nxt_string("'囲α碁α織'.split('α')"), nxt_string("囲,碁,織") }, + { nxt_string("'a'.repeat(16).split('a'.repeat(15))"), + nxt_string(",a") }, + { nxt_string("('α'+'β'.repeat(33)).repeat(2).split('α')[1][32]"), nxt_string("β") },