details: https://hg.nginx.org/njs/rev/6b226ed1b25d
branches:
changeset: 1838:6b226ed1b25d
user: Dmitry Volyntsev <xei...@nginx.com>
date: Thu Apr 14 16:07:34 2022 -0700
description:
Fixed Response headers iteration in Fetch API.
Previously, heap-use-after-free might occur when HTTP Response was
received with more than 8 headers and headers iteration is used.
The fix is not to assume that pointer to the beginning of the keys array
never changes. The pointer may change when array is resized.
The issue was introduced in 81040de6b085 (0.5.1).
This closes #492 issue on Github.
diffstat:
nginx/ngx_js_fetch.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (15 lines):
diff -r eab387c72d90 -r 6b226ed1b25d nginx/ngx_js_fetch.c
--- a/nginx/ngx_js_fetch.c Thu Apr 14 15:39:15 2022 -0700
+++ b/nginx/ngx_js_fetch.c Thu Apr 14 16:07:34 2022 -0700
@@ -2234,10 +2234,10 @@ ngx_response_js_ext_keys(njs_vm_t *vm, n
length = 0;
headers = http->headers.elts;
- start = njs_vm_array_start(vm, keys);
for (i = 0; i < http->headers.nelts; i++) {
h = &headers[i];
+ start = njs_vm_array_start(vm, keys);
for (k = 0; k < length; k++) {
njs_value_string_get(njs_argument(start, k), &hdr);
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org
