]> git.kaiwu.me - njs.git/commitdiff
Fixed stack-use-after-free in njs_value_property_set().
authorDmitry Volyntsev <xeioex@nginx.com>
Mon, 16 Dec 2019 12:18:51 +0000 (15:18 +0300)
committerDmitry Volyntsev <xeioex@nginx.com>
Mon, 16 Dec 2019 12:18:51 +0000 (15:18 +0300)
src/njs_object.h
src/test/njs_unit_test.c

index 629f5a31abb934aa9f2e235ad0237cb5cf57675f..1d704a8cb5792d6b2ab055ec7e4056cbe4e585b4 100644 (file)
@@ -204,18 +204,15 @@ njs_value_to_key(njs_vm_t *vm, njs_value_t *dst, njs_value_t *value)
 
 
 njs_inline njs_int_t
-njs_key_string_get(njs_vm_t *vm, const njs_value_t *key, njs_str_t *str)
+njs_key_string_get(njs_vm_t *vm, njs_value_t *key, njs_str_t *str)
 {
-    njs_int_t    ret;
-    njs_value_t  dst;
+    njs_int_t  ret;
 
     if (njs_slow_path(njs_is_symbol(key))) {
-        ret = njs_symbol_to_string(vm, &dst, key);
+        ret = njs_symbol_to_string(vm, key, key);
         if (njs_slow_path(ret != NJS_OK)) {
             return ret;
         }
-
-        key = &dst;
     }
 
     njs_string_get(key, str);
index a7fc052e1d298211a8b76b0565250b2a54143412..80a92a4e1a1461919afffb8a2253f73c4a4b41a5 100644 (file)
@@ -10475,6 +10475,14 @@ static njs_unit_test_t  njs_test[] =
               "while(n--) o[Symbol()] = 'test'; o[''];"),
       njs_str("undefined") },
 
+    { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); "
+              "obj[symA] = 2"),
+      njs_str("TypeError: Cannot assign to read-only property \"Symbol(A)\" of object") },
+
+    { njs_str("var symA = Symbol('A'); var obj = {[symA]:1}; Object.freeze(obj); "
+              "delete obj[symA]"),
+      njs_str("TypeError: Cannot delete property \"Symbol(A)\" of object") },
+
     { njs_str("["
               " Object.prototype,"
               " Symbol.prototype,"