Fixed allocation of large array literals.

Previously, allocation of large array literals may result in null-pointer dereference. The reason is that njs_array_alloc() may return a slow array when size is large enough, but the instruction code assumes that array is always flat. The fix is to check fast_array flag before accessing array->start. This closes #473 issue on Github.
nginx · Feb 21, 2022 · f65981b · f65981b
1 parent ad48705
commit f65981b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/src/njs_vmcode.c b/src/njs_vmcode.c
@@ -1055,14 +1055,16 @@ njs_vmcode_array(njs_vm_t *vm, u_char *pc)
 
         if (code->ctor) {
             /* Array of the form [,,,], [1,,]. */
-            value = array->start;
-            length = array->length;
-
-            do {
-                njs_set_invalid(value);
-                value++;
-                length--;
-            } while (length != 0);
+            if (array->object.fast_array) {
+                value = array->start;
+                length = array->length;
+
+                do {
+                    njs_set_invalid(value);
+                    value++;
+                    length--;
+                } while (length != 0);
+            }
 
         } else {
             /* Array of the form [], [,,1], [1,2,3]. */

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
@@ -13154,6 +13154,10 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("(new Function('return 5' + '** 1'.repeat(2**13)))()"),
       njs_str("5") },
 
+    { njs_str("var a = (new Function('return [' + ','.repeat(2**16) + ']'))();"
+			  "njs.dump(a)"),
+      njs_str("[<65536 empty items>]") },
+
     { njs_str("(new Function('var a = 7; return a' + '= a'.repeat(2**13)))()"),
       njs_str("7") },