RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 14:07:45 +00:00
Code Issues Activity Actions

LibJS: Fix out-of-bounds read when parsing escape sequences

Browse source 
We cannot look at i+1'th character until we verify it's there.
This commit is contained in:
Sergey Bugaev 2020-06-01 16:56:39 +03:00 committed by Andreas Kling
parent 80f671e16c
commit 1274c244d5
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibJS/Token.cpp
View file

@ -146,11 +146,13 @@ String Token::string_value(StringValueStatus& status) const
if (code_point == '{') { if (code_point == '{') {
code_point = 0; code_point = 0;
do { while (true) {
if (i + 1 >= m_value.length() - offset) if (i + 1 >= m_value.length() - offset)
return encoding_failure(StringValueStatus::MalformedUnicodeEscape); return encoding_failure(StringValueStatus::MalformedUnicodeEscape);
auto ch = m_value[++i]; auto ch = m_value[++i];
if (ch == '}')
break;
if (!isxdigit(ch)) if (!isxdigit(ch))
return encoding_failure(StringValueStatus::MalformedUnicodeEscape); return encoding_failure(StringValueStatus::MalformedUnicodeEscape);
@ -158,8 +160,7 @@ String Token::string_value(StringValueStatus& status) const
if (new_code_point < code_point) if (new_code_point < code_point)
return encoding_failure(StringValueStatus::UnicodeEscapeOverflow); return encoding_failure(StringValueStatus::UnicodeEscapeOverflow);
code_point = new_code_point; code_point = new_code_point;
} while (m_value[i + 1] != '}'); }
++i;
} else { } else {
if (i + 3 >= m_value.length() - offset || !isxdigit(code_point)) if (i + 3 >= m_value.length() - offset || !isxdigit(code_point))
return encoding_failure(StringValueStatus::MalformedUnicodeEscape); return encoding_failure(StringValueStatus::MalformedUnicodeEscape);