Skip to content

Commit

Permalink
NJS: avoiding arithmetic ops with NULL pointer in r->args
Browse files Browse the repository at this point in the history
Can be reproduced by test/test_rewrite.py::test_rewrite_njs
with enabled UndefinedBehaviorSanitizer:

src/nxt_http_js.c:169:52: runtime error: applying zero offset to null pointer
    #0 0x10255b044 in nxt_http_js_ext_get_args nxt_http_js.c:169
    #1 0x102598ad0 in njs_value_property njs_value.c:1175
    #2 0x10259c2c8 in njs_vm_object_prop njs_vm.c:1398
    #3 0x102559d74 in nxt_js_call nxt_js.c:445
    nginx#4 0x1023c0da0 in nxt_tstr_query nxt_tstr.c:276
    nginx#5 0x102516ec4 in nxt_http_rewrite nxt_http_rewrite.c:56
    nginx#6 0x1024fd86c in nxt_http_request_action nxt_http_request.c:565
    nginx#7 0x1024d71b0 in nxt_h1p_request_body_read nxt_h1proto.c:998
    nginx#8 0x1023f5c48 in nxt_event_engine_start nxt_event_engine.c:542
    nginx#9 0x1023e2838 in nxt_thread_trampoline nxt_thread.c:126
    nginx#10 0x18133e030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x7030)
    nginx#11 0x181338e38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1e38)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/nxt_http_js.c:169:52

Same fix was introduced in NJS:
<http://hg.nginx.org/njs/rev/4fba78789fe4>

Reviewed-by: Andrew Clayton <[email protected]>
  • Loading branch information
andrey-zelenkov committed Mar 11, 2024
1 parent 0d99744 commit fdc4675
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/nxt_http_js.c
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ static njs_int_t
nxt_http_js_ext_get_args(njs_vm_t *vm, njs_object_prop_t *prop,
njs_value_t *value, njs_value_t *setval, njs_value_t *retval)
{
u_char *start;
njs_int_t ret;
njs_value_t *args;
njs_opaque_value_t val;
Expand All @@ -175,8 +176,8 @@ nxt_http_js_ext_get_args(njs_vm_t *vm, njs_object_prop_t *prop,

args = njs_value_arg(&val);

ret = njs_vm_query_string_parse(vm, r->args->start,
r->args->start + r->args->length, args);
start = (r->args->start != NULL) ? r->args->start : (u_char *) "";
ret = njs_vm_query_string_parse(vm, start, start + r->args->length, args);

if (ret == NJS_ERROR) {
return NJS_ERROR;
Expand Down

0 comments on commit fdc4675

Please sign in to comment.