[njs] Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Thu, 10 Oct 2024 09:44:17 -0700 

details:   
https://github.com/nginx/njs/commit/6c8084b666cfe5db5d9401e7dff7981b5b2eb100
branches:  master
commit:    6c8084b666cfe5db5d9401e7dff7981b5b2eb100
user:      Dmitry Volyntsev <xei...@nginx.com>
date:      Wed, 9 Oct 2024 17:32:11 -0700
description:
Fixed heap-buffer-overflow in Buffer.prototype.indexOf().

Previously, when `from` argument was provided heap-buffer-overflow might
happen due to lack of boundary check. `to = njs_min(to, length)`
statement was also removed because it has no effect, `to` is
equal to `length` here.

The issue was introduced in 5d15a8d6 (0.8.5).

This closes #794 issue on Github.

---
 src/njs_buffer.c | 5 ++++-
 src/qjs_buffer.c | 7 ++++++-
 test/buffer.t.js | 1 +
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/njs_buffer.c b/src/njs_buffer.c
index 07054bf0..0bd5b896 100644
--- a/src/njs_buffer.c
+++ b/src/njs_buffer.c
@@ -2228,7 +2228,10 @@ encoding:
 
         } else {
             to -= str.length - 1;
-            to = njs_min(to, length);
+
+            if (from > to) {
+                goto done;
+            }
         }
 
         for (i = from; i != to; i += increment) {
diff --git a/src/qjs_buffer.c b/src/qjs_buffer.c
index 2487c633..5def5e63 100644
--- a/src/qjs_buffer.c
+++ b/src/qjs_buffer.c
@@ -1098,7 +1098,10 @@ encoding:
 
     } else {
         to -= str.length - 1;
-        to = njs_min(to, length);
+
+        if (from > to) {
+            goto done;
+        }
     }
 
     for (i = from; i != to; i += increment) {
@@ -1108,6 +1111,8 @@ encoding:
         }
     }
 
+done:
+
     JS_FreeValue(ctx, buffer);
     return JS_NewInt32(ctx, -1);
 }
diff --git a/test/buffer.t.js b/test/buffer.t.js
index 55227b3a..f47c62f7 100644
--- a/test/buffer.t.js
+++ b/test/buffer.t.js
@@ -473,6 +473,7 @@ let indexOf_tsuite = {
         { buf: Buffer.from('abcdef'), value: 'abc', offset: 1, expected: -1 },
         { buf: Buffer.from('abcdef'), value: 'def', offset: 1, expected: 3 },
         { buf: Buffer.from('abcdef'), value: 'def', offset: -3, expected: 3 },
+        { buf: Buffer.from('abcdef'), value: 'efgh', offset: 4, expected: -1 },
         { buf: Buffer.from('abcdef'), value: '626364', encoding: 'hex', 
expected: 1 },
         { buf: Buffer.from('abcdef'), value: '626364', encoding: 'utf-128',
           exception: 'TypeError: "utf-128" encoding is not supported' },
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to