Integer-overflow in String.prototype.concat().

[xeioex]

>>  var s = 'x'.repeat(2**10).repeat(2**19)
undefined
>> var a = Array(8).fill(s)
undefined
>> String.prototype.concat.apply(s, a.slice(1))
=================================================================
==7198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00000fa40 at pc 0x7f59b1f12904 bp 0x7ffc99374ed0 sp 0x7ffc99374678
WRITE of size 536870912 at 0x61f00000fa40 thread T0
    #0 0x7f59b1f12903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x427909 in njs_string_prototype_concat njs/njs_string.c:896
    #2 0x45f55f in njs_function_native_call njs/njs_function.c:587
    #3 0x41c924 in njs_vmcode_continuation njs/njs_vm.c:2308
    #4 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #5 0x412be5 in njs_vm_start njs/njs.c:594
    #6 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #7 0x4037ad in njs_interactive_shell njs/njs_shell.c:500
    #8 0x402a03 in main njs/njs_shell.c:270

0x61f00000fa40 is located 0 bytes to the right of 3008-byte region [0x61f00000ee80,0x61f00000fa40)
allocated by thread T0 here:
    #0 0x7f59b1f1f076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x4b621b in nxt_memalign nxt/nxt_malloc.c:26
    #2 0x4100ec in njs_align njs/njs.c:41
    #3 0x40b703 in nxt_mp_alloc_large nxt/nxt_mp.c:605
    #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353
    #5 0x40b403 in nxt_mp_zalign nxt/nxt_mp.c:365
    #6 0x4101d0 in njs_vm_create njs/njs.c:103
    #7 0x40410c in njs_create_vm njs/njs_shell.c:652
    #8 0x403672 in njs_interactive_shell njs/njs_shell.c:475
    #9 0x402a03 in main njs/njs_shell.c:270

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3e7fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff9f40: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa

Similar to #131. size_t size is truncated when it is passed to njs_string_alloc().