From e082e6e61c251b9dd4b3c58e58bd63b4122cbb85 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Mon, 20 Jan 2020 12:18:53 +0100
Subject: [PATCH] Check for leading zero in js_isarrayindex that caused false
 positives.

We're supposed to check whether a string turned into an integer and back
is itself, while also returning the value of the integer. We were
unintentionally allowing integers with leading zero through.
---
 jsrun.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/jsrun.c b/jsrun.c
index 113db4a..5e70684 100644
--- a/jsrun.c
+++ b/jsrun.c
@@ -444,6 +444,11 @@ void js_rot(js_State *J, int n)
 int js_isarrayindex(js_State *J, const char *p, int *idx)
 {
 	int n = 0;
+
+	/* check for '0' and integers with leading zero */
+	if (p[0] == '0')
+		return (p[1] == 0) ? *idx = 0, 1 : 0;
+
 	while (*p) {
 		int c = *p++;
 		if (c >= '0' && c <= '9') {