From: Dmitry Volyntsev Date: Tue, 14 May 2019 16:13:53 +0000 (+0300) Subject: Fixed heap-buffer-overflow in String.prototype.lastIndexOf(). X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=fe147ab7b6721eb5a1a883f95ad62b5600b103d7;p=njs.git Fixed heap-buffer-overflow in String.prototype.lastIndexOf(). This closes #151 issue on Github. --- diff --git a/njs/njs_string.c b/njs/njs_string.c index f291ef96..3d4ea80d 100644 --- a/njs/njs_string.c +++ b/njs/njs_string.c @@ -1831,8 +1831,13 @@ njs_string_prototype_last_index_of(njs_vm_t *vm, njs_value_t *args, } } - if (index > length) { - index = length; + if (search_length == 0) { + index = nxt_min(index, length); + goto done; + } + + if (index >= length) { + index = length - 1; } if (string.size == (size_t) length) { diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 28ec41f5..8730f8a7 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -5172,6 +5172,16 @@ static njs_unit_test_t njs_test[] = { nxt_string("''.lastIndexOf(undefined)"), nxt_string("-1") }, + { nxt_string("'β'.repeat(32).lastIndexOf('β')"), + nxt_string("31") }, + + { nxt_string("'β'.repeat(32).lastIndexOf``"), + nxt_string("32") }, + + { nxt_string("JSON.stringify(Array(24).fill(true).map((v,i) => 'abc abc ab abc абвгдежзab'.lastIndexOf('abc', i)))" + "== JSON.stringify([].concat(Array(4).fill(0), Array(7).fill(4), Array(13).fill(11)))"), + nxt_string("true") }, + { nxt_string("''.includes('')"), nxt_string("true") },