]> git.kaiwu.me - njs.git/commitdiff
Fixed size uint32_t overflow in njs_array_expand().
authorDmitry Volyntsev <xeioex@nginx.com>
Thu, 22 Nov 2018 14:38:25 +0000 (17:38 +0300)
committerDmitry Volyntsev <xeioex@nginx.com>
Thu, 22 Nov 2018 14:38:25 +0000 (17:38 +0300)
njs/njs_array.c
njs/test/njs_unit_test.c
nxt/nxt_mem_cache_pool.c

index 13a0047c1a5f1d03a4cdfb40f26177ef951ddcc9..e8ae019b5d9d8b4c3b84a0c72e8329defa884b91 100644 (file)
@@ -6,6 +6,7 @@
 
 #include <njs_core.h>
 #include <string.h>
+#include <stdint.h>
 
 
 typedef struct {
@@ -136,7 +137,7 @@ njs_array_alloc(njs_vm_t *vm, uint32_t length, uint32_t spare)
 
     size = (uint64_t) length + spare;
 
-    if (nxt_slow_path((size * sizeof(njs_value_t)) >= 0xffffffff)) {
+    if (nxt_slow_path((size * sizeof(njs_value_t)) >= UINT32_MAX)) {
         goto memory_error;
     }
 
@@ -201,11 +202,12 @@ njs_array_string_add(njs_vm_t *vm, njs_array_t *array, u_char *start,
 
 njs_ret_t
 njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend,
-    uint32_t size)
+    uint32_t new_size)
 {
+    uint64_t     size;
     njs_value_t  *start, *old;
 
-    size += array->length;
+    size = (uint64_t) new_size + array->length;
 
     if (nxt_fast_path(size <= array->size && prepend == 0)) {
         return NXT_OK;
@@ -218,11 +220,14 @@ njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend,
         size += size / 2;
     }
 
+    if (nxt_slow_path(((prepend + size) * sizeof(njs_value_t)) >= UINT32_MAX)) {
+        goto memory_error;
+    }
+
     start = nxt_mem_cache_align(vm->mem_cache_pool, sizeof(njs_value_t),
                                 (prepend + size) * sizeof(njs_value_t));
     if (nxt_slow_path(start == NULL)) {
-        njs_memory_error(vm);
-        return NXT_ERROR;
+        goto memory_error;
     }
 
     array->size = size;
@@ -238,6 +243,12 @@ njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend,
     nxt_mem_cache_free(vm->mem_cache_pool, old);
 
     return NXT_OK;
+
+memory_error:
+
+    njs_memory_error(vm);
+
+    return NXT_ERROR;
 }
 
 
index 4c2e5ec93963675bb5461df4d07cb4af73f44870..c4176494eae5964c28453dc8fe3fd74d3f5fabc6 100644 (file)
@@ -2905,6 +2905,9 @@ static njs_unit_test_t  njs_test[] =
       nxt_string("0:0,1:1,2:2,null:null,undefined:defined,false:false,"
                  "true:true,Infinity:Infinity,-Infinity:-Infinity,NaN:NaN,") },
 
+    { nxt_string("--[][3e9]"),
+      nxt_string("MemoryError") },
+
     { nxt_string("[].length"),
       nxt_string("0") },
 
@@ -2933,6 +2936,9 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("[].length = 2**32 - 1"),
       nxt_string("MemoryError") },
 
+    { nxt_string("[].length = 3e9"),
+      nxt_string("MemoryError") },
+
     { nxt_string("Object.defineProperty([], 'length',{value: 2**32 - 1})"),
       nxt_string("MemoryError") },
 
index 7b293cd6683765bf9cfc916597b647ce0fcb81b4..aadf96bf993eb25b5d45b10349002b2d04cd3846 100644 (file)
@@ -14,6 +14,7 @@
 #include <nxt_rbtree.h>
 #include <nxt_mem_cache_pool.h>
 #include <string.h>
+#include <stdint.h>
 
 
 /*
@@ -586,7 +587,7 @@ nxt_mem_cache_alloc_large(nxt_mem_cache_pool_t *pool, size_t alignment,
     nxt_mem_cache_block_t  *block;
 
     /* Allocation must be less than 4G. */
-    if (nxt_slow_path(size >= 0xffffffff)) {
+    if (nxt_slow_path(size >= UINT32_MAX)) {
         return NULL;
     }