From ae0bdda86e9946e8fc09db0c4dc044b2d975d7fa Mon Sep 17 00:00:00 2001 From: Luke Wilde Date: Fri, 10 Sep 2021 23:04:36 +0100 Subject: [PATCH] LibJS: Remove read buffer overflow in Lexer::consume The position is added to manually in the line terminator and Unicode character cases. While it checks for EOF after doing so, the EOF check used `!=` instead of `<`, meaning if the position went _over_ the source length, it wouldn't think it was EOF and would cause read buffer overflows. For example, `0xea` followed by `0xfd` would cause this. --- Userland/Libraries/LibJS/Lexer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Userland/Libraries/LibJS/Lexer.cpp b/Userland/Libraries/LibJS/Lexer.cpp index 7c70b0410e..5a02ac560b 100644 --- a/Userland/Libraries/LibJS/Lexer.cpp +++ b/Userland/Libraries/LibJS/Lexer.cpp @@ -141,7 +141,7 @@ Lexer::Lexer(StringView source, StringView filename, size_t line_number, size_t void Lexer::consume() { auto did_reach_eof = [this] { - if (m_position != m_source.length()) + if (m_position < m_source.length()) return false; m_eof = true; m_current_char = '\0';