From: Dmitry Volyntsev Date: Mon, 13 May 2019 17:28:40 +0000 (+0300) Subject: Fixed heap-buffer-overflow in String.prototype.replace(). X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=c8d0bc98c521c15cd56f603622152f636d41fb35;p=njs.git Fixed heap-buffer-overflow in String.prototype.replace(). This closes #154 issue on GitHub. --- diff --git a/njs/njs_string.c b/njs/njs_string.c index abc9cba5..3ceaed45 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -3239,7 +3239,7 @@ njs_string_replace_search(njs_vm_t *vm, njs_value_t *args, p = r->part[0].start; end = (p + r->part[0].size) - (search.length - 1); - do { + while (p < end) { if (memcmp(p, search.start, search.length) == 0) { if (r->substitutions != NULL) { @@ -3272,8 +3272,7 @@ njs_string_replace_search(njs_vm_t *vm, njs_value_t *args, } else { p = (u_char *) nxt_utf8_next(p, end); } - - } while (p < end); + } njs_string_copy(&vm->retval, &args[0]); diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 91822550..8213215c 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -5336,6 +5336,9 @@ static njs_unit_test_t njs_test[] = { nxt_string("'abcdefgh'.replace('d', undefined)"), nxt_string("abcundefinedefgh") }, + { nxt_string("'a'.repeat(16).replace('a'.repeat(17)) === 'a'.repeat(16)"), + nxt_string("true") }, + { nxt_string("'abcdefgh'.replace('d', null)"), nxt_string("abcnullefgh") },