Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed Function.prototype.apply() with slow arrays.
Previously, the function had two issues:
   * array->start was referenced without checking for fast array flag
   * the created arguments list was not sanity-checked for its length,
     which can be very large.

The fix is to remove micro-optimization for arrays and introduce limit
size for arguments list.

This closes #449 issue in Github.
  • Loading branch information
xeioex committed Jan 19, 2022
1 parent 6a40a85 commit 39e8fa1
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 10 deletions.
17 changes: 7 additions & 10 deletions src/njs_function.c
Expand Up @@ -1385,18 +1385,10 @@ njs_function_prototype_apply(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,

if (njs_is_null_or_undefined(arr_like)) {
length = 0;

goto activate;

} else if (njs_is_array(arr_like)) {
arr = arr_like->data.u.array;

args = arr->start;
length = arr->length;

goto activate;
}

} else if (njs_slow_path(!njs_is_object(arr_like))) {
if (njs_slow_path(!njs_is_object(arr_like))) {
njs_type_error(vm, "second argument is not an array-like object");
return NJS_ERROR;
}
Expand All @@ -1406,6 +1398,11 @@ njs_function_prototype_apply(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
return ret;
}

if (njs_slow_path(length > 1024)) {
njs_internal_error(vm, "argument list is too long");
return NJS_ERROR;
}

arr = njs_array_alloc(vm, 1, length, NJS_ARRAY_SPARE);
if (njs_slow_path(arr == NULL)) {
return NJS_ERROR;
Expand Down
4 changes: 4 additions & 0 deletions src/test/njs_unit_test.c
Expand Up @@ -10063,6 +10063,10 @@ static njs_unit_test_t njs_test[] =
"f.apply(123, {})"),
njs_str("123") },

{ njs_str("(function(index, ...rest){ return rest[index];})"
".apply({}, [1022].concat(Array(1023).fill(1).map((v,i)=>i.toString(16))))"),
njs_str("3fe") },

{ njs_str("String.prototype.concat.apply('a', "
"{length:2, 0:{toString:function() {return 'b'}}, 1:'c'})"),
njs_str("abc") },
Expand Down

0 comments on commit 39e8fa1

Please sign in to comment.