Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31307: Fixed Array.prototype.lastIndexOf() with unicode string as "this". · nginx/njs@eafe4c7

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c.

CVE
#js#git#nginx

Permalink

Browse files

Fixed Array.prototype.lastIndexOf() with unicode string as "this".

Previously, when lastIndexOf() was called with unicode string as “this” argument and a negative “fromIndex” argument null-pointer dererence might occur because njs_string_offset() was called with invalid index value whereas njs_string_offset() should always be called with valid index argument.

The fix is to verify that from index is valid.

This closes #482 issue on Github.

  • Loading branch information

1 parent 982100b commit eafe4c7a326b163612f10861392622b5da5b1792

Showing 2 changed files with 9 additions and 3 deletions.

    • njs_iterator.c
      • njs_unit_test.c

@@ -560,11 +560,14 @@ njs_object_iterate_reverse(njs_vm_t *vm, njs_iterator_args_t *args,

} else {

/* UTF-8 string. */

p = njs_string_offset(string_prop.start, end, from);

p = njs_utf8_next(p, end);

p = NULL;

i = from + 1;

if (i > to) {

p = njs_string_offset(string_prop.start, end, from);

p = njs_utf8_next(p, end);

}

while (i-- > to) {

pos = njs_utf8_prev§;

@@ -5103,6 +5103,9 @@ static njs_unit_test_t njs_test[] =

{ njs_str("Array.prototype.lastIndexOf.call({0:’undefined’, length:0}, ‘undefined’)"),

njs_str("-1") },

{ njs_str("[1,0,-1,-2].map(v => Array.prototype.lastIndexOf.call('Ф’, 'Ф’, v))"),

njs_str(“0,0,0,-1”) },

{ njs_str("[‘’].lastIndexOf.call(‘00000000000000000000000000000а00’)"),

njs_str("-1") },

0 comments on commit eafe4c7

Please sign in to comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907