From 77d8a65498eec7c24b4947630710eac83bf97b0a Mon Sep 17 00:00:00 2001 From: Brian Gianforcaro Date: Tue, 24 Aug 2021 23:11:08 -0700 Subject: [PATCH] LibJS: Fix incorrect Lexer VERIFY when parsing Unicode characters This bug was discovered via OSS fuzz, it's possible to fall through to this assert with a char_size == 1, so we need to account for that in the VERIFY(..). Repro test case can be found in the OSS fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37296 --- Userland/Libraries/LibJS/Lexer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Userland/Libraries/LibJS/Lexer.cpp b/Userland/Libraries/LibJS/Lexer.cpp index 78c4c09a26..7f159123d5 100644 --- a/Userland/Libraries/LibJS/Lexer.cpp +++ b/Userland/Libraries/LibJS/Lexer.cpp @@ -201,7 +201,7 @@ void Lexer::consume() char_size = 4; } - VERIFY(char_size > 1); + VERIFY(char_size >= 1); --char_size; m_position += char_size;