From: Dmitry Volyntsev Date: Thu, 30 May 2019 13:46:26 +0000 (+0300) Subject: Fixed heap-buffer-overflow in toUpperCase() and toLowerCase(). X-Git-Tag: 0.3.3~21 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=ee332a01a8a3e87e5787927318eecc214196376c;p=njs.git Fixed heap-buffer-overflow in toUpperCase() and toLowerCase(). In String.prototype. This closes #162 issue on Github. --- diff --git a/njs/njs_string.c b/njs/njs_string.c index a109887f..04acad78 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -2171,7 +2171,7 @@ static njs_ret_t njs_string_prototype_to_lower_case(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { - size_t size; + size_t size, length; u_char *p, *start; const u_char *s, *end; njs_string_prop_t string; @@ -2198,10 +2198,11 @@ njs_string_prototype_to_lower_case(njs_vm_t *vm, njs_value_t *args, } else { /* UTF-8 string. */ end = s + size; + length = string.length; - while (size != 0) { + while (length != 0) { p = nxt_utf8_encode(p, nxt_utf8_lower_case(&s, end)); - size--; + length--; } } @@ -2219,7 +2220,7 @@ static njs_ret_t njs_string_prototype_to_upper_case(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { - size_t size; + size_t size, length; u_char *p, *start; const u_char *s, *end; njs_string_prop_t string; @@ -2246,10 +2247,11 @@ njs_string_prototype_to_upper_case(njs_vm_t *vm, njs_value_t *args, } else { /* UTF-8 string. */ end = s + size; + length = string.length; - while (size != 0) { + while (length != 0) { p = nxt_utf8_encode(p, nxt_utf8_upper_case(&s, end)); - size--; + length--; } } diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index e0ecd448..c6e6f4f4 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -5277,8 +5277,8 @@ static njs_unit_test_t njs_test[] = { nxt_string("'абв абв абвгдежз'.endsWith('абвгд', 14)"), nxt_string("false") }, - { nxt_string("'ABC'.toLowerCase()"), - nxt_string("abc") }, + { nxt_string("'\x00АБВГДЕЁЖЗ'.toLowerCase().length"), + nxt_string("10") }, { nxt_string("'ΑΒΓ'.toLowerCase()"), nxt_string("αβγ") }, @@ -5292,8 +5292,8 @@ static njs_unit_test_t njs_test[] = { nxt_string("'αβγ'.toUpperCase()"), nxt_string("ΑΒΓ") }, - { nxt_string("'абв'.toUpperCase()"), - nxt_string("АБВ") }, + { nxt_string("'\x00абвгдеёжз'.toUpperCase().length"), + nxt_string("10") }, { nxt_string("var a = [], code;" "for (code = 0; code <= 1114111; code++) {"