From 58ef7c74854ecef189c615f279f7dedb7fb94dc8 Mon Sep 17 00:00:00 2001
From: Andrei Zeliankou <zelenkov@nginx.com>
Date: Wed, 31 Jan 2024 15:16:34 +0000
Subject: [PATCH] NJS: avoiding arithmetic ops with NULL pointer in r->args

Can be reproduced by test/test_rewrite.py::test_rewrite_njs
with enabled UndefinedBehaviorSanitizer:

src/nxt_http_js.c:169:52: runtime error: applying zero offset to null pointer
    #0 0x10255b044 in nxt_http_js_ext_get_args nxt_http_js.c:169
    #1 0x102598ad0 in njs_value_property njs_value.c:1175
    #2 0x10259c2c8 in njs_vm_object_prop njs_vm.c:1398
    #3 0x102559d74 in nxt_js_call nxt_js.c:445
    #4 0x1023c0da0 in nxt_tstr_query nxt_tstr.c:276
    #5 0x102516ec4 in nxt_http_rewrite nxt_http_rewrite.c:56
    #6 0x1024fd86c in nxt_http_request_action nxt_http_request.c:565
    #7 0x1024d71b0 in nxt_h1p_request_body_read nxt_h1proto.c:998
    #8 0x1023f5c48 in nxt_event_engine_start nxt_event_engine.c:542
    #9 0x1023e2838 in nxt_thread_trampoline nxt_thread.c:126
    #10 0x18133e030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x7030)
    #11 0x181338e38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1e38)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/nxt_http_js.c:169:52

Same fix was introduced in NJS:
<http://hg.nginx.org/njs/rev/4fba78789fe4>
---
 src/nxt_http_js.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/nxt_http_js.c b/src/nxt_http_js.c
index e3beb8b4e..3dbf79708 100644
--- a/src/nxt_http_js.c
+++ b/src/nxt_http_js.c
@@ -162,6 +162,7 @@ static njs_int_t
 nxt_http_js_ext_get_args(njs_vm_t *vm, njs_object_prop_t *prop,
     njs_value_t *value, njs_value_t *setval, njs_value_t *retval)
 {
+    u_char              *start;
     njs_int_t           ret;
     njs_value_t         *args;
     njs_opaque_value_t  val;
@@ -175,8 +176,8 @@ nxt_http_js_ext_get_args(njs_vm_t *vm, njs_object_prop_t *prop,
 
     args = njs_value_arg(&val);
 
-    ret = njs_vm_query_string_parse(vm, r->args->start,
-                                    r->args->start + r->args->length, args);
+    start = (r->args->start != NULL) ? r->args->start : (u_char *) "";
+    ret = njs_vm_query_string_parse(vm, start, start + r->args->length, args);
 
     if (ret == NJS_ERROR) {
         return NJS_ERROR;