From: Dmitry Volyntsev Date: Thu, 22 Nov 2018 14:38:25 +0000 (+0300) Subject: Fixed size uint32_t overflow in njs_array_expand(). X-Git-Tag: 0.2.6~7 X-Git-Url: http://git.kaiwu.me/sitemap.xml?a=commitdiff_plain;h=87b38bc8ea2bf08a1aab0879ffd7b2cab0b7ad2f;p=njs.git Fixed size uint32_t overflow in njs_array_expand(). --- diff --git a/njs/njs_array.c b/njs/njs_array.c index 13a0047c..e8ae019b 100644 --- a/njs/njs_array.c +++ b/njs/njs_array.c @@ -6,6 +6,7 @@ #include #include +#include typedef struct { @@ -136,7 +137,7 @@ njs_array_alloc(njs_vm_t *vm, uint32_t length, uint32_t spare) size = (uint64_t) length + spare; - if (nxt_slow_path((size * sizeof(njs_value_t)) >= 0xffffffff)) { + if (nxt_slow_path((size * sizeof(njs_value_t)) >= UINT32_MAX)) { goto memory_error; } @@ -201,11 +202,12 @@ njs_array_string_add(njs_vm_t *vm, njs_array_t *array, u_char *start, njs_ret_t njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend, - uint32_t size) + uint32_t new_size) { + uint64_t size; njs_value_t *start, *old; - size += array->length; + size = (uint64_t) new_size + array->length; if (nxt_fast_path(size <= array->size && prepend == 0)) { return NXT_OK; @@ -218,11 +220,14 @@ njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend, size += size / 2; } + if (nxt_slow_path(((prepend + size) * sizeof(njs_value_t)) >= UINT32_MAX)) { + goto memory_error; + } + start = nxt_mem_cache_align(vm->mem_cache_pool, sizeof(njs_value_t), (prepend + size) * sizeof(njs_value_t)); if (nxt_slow_path(start == NULL)) { - njs_memory_error(vm); - return NXT_ERROR; + goto memory_error; } array->size = size; @@ -238,6 +243,12 @@ njs_array_expand(njs_vm_t *vm, njs_array_t *array, uint32_t prepend, nxt_mem_cache_free(vm->mem_cache_pool, old); return NXT_OK; + +memory_error: + + njs_memory_error(vm); + + return NXT_ERROR; } diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 4c2e5ec9..c4176494 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -2905,6 +2905,9 @@ static njs_unit_test_t njs_test[] = nxt_string("0:0,1:1,2:2,null:null,undefined:defined,false:false," "true:true,Infinity:Infinity,-Infinity:-Infinity,NaN:NaN,") }, + { nxt_string("--[][3e9]"), + nxt_string("MemoryError") }, + { nxt_string("[].length"), nxt_string("0") }, @@ -2933,6 +2936,9 @@ static njs_unit_test_t njs_test[] = { nxt_string("[].length = 2**32 - 1"), nxt_string("MemoryError") }, + { nxt_string("[].length = 3e9"), + nxt_string("MemoryError") }, + { nxt_string("Object.defineProperty([], 'length',{value: 2**32 - 1})"), nxt_string("MemoryError") }, diff --git a/nxt/nxt_mem_cache_pool.c b/nxt/nxt_mem_cache_pool.c index 7b293cd6..aadf96bf 100644 --- a/nxt/nxt_mem_cache_pool.c +++ b/nxt/nxt_mem_cache_pool.c @@ -14,6 +14,7 @@ #include #include #include +#include /* @@ -586,7 +587,7 @@ nxt_mem_cache_alloc_large(nxt_mem_cache_pool_t *pool, size_t alignment, nxt_mem_cache_block_t *block; /* Allocation must be less than 4G. */ - if (nxt_slow_path(size >= 0xffffffff)) { + if (nxt_slow_path(size >= UINT32_MAX)) { return NULL; }