YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix buffer overrun while parsing malformed JSON hex escape sequence (#2201)

Browse Source 
Fixes https://github.com/jerryscript-project/jerryscript/issues/2200

JerryScript-DCO-1.0-Signed-off-by: Martijn The martijn.the@intel.com
This commit is contained in:
Martijn Thé
2018-02-16 09:02:03 +01:00
committed by László Langó
parent d7991ae54c
commit 3c57698ed8
2 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/builtin-objects/ecma-builtin-json.c
+15 -5
View File
@@ -40,6 +40,11 @@
#define BUILTIN_UNDERSCORED_ID json #define BUILTIN_UNDERSCORED_ID json
#include "ecma-builtin-internal-routines-template.inc.h" #include "ecma-builtin-internal-routines-template.inc.h"
/**
* The number of expected hexidecimal characters in a hex escape sequence
*/
#define ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH (4)
/** \addtogroup ecma ECMA /** \addtogroup ecma ECMA
* @{ * @{
* *
@@ -182,13 +187,18 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
} }
case LIT_CHAR_LOWERCASE_U: case LIT_CHAR_LOWERCASE_U:
{ {
ecma_char_t code_unit; if ((end_p - current_p <= ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH))
if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))
{ {
return; return;
} }
current_p += 5; ecma_char_t code_unit;
if (!(lit_read_code_unit_from_hex (current_p + 1, ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH, &code_unit)))
{
return;
}
current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;
lit_utf8_byte_t char_buffer[LIT_UTF8_MAX_BYTES_IN_CODE_UNIT]; lit_utf8_byte_t char_buffer[LIT_UTF8_MAX_BYTES_IN_CODE_UNIT];
buffer_size += lit_code_unit_to_utf8 (code_unit, char_buffer); buffer_size += lit_code_unit_to_utf8 (code_unit, char_buffer);
@@ -258,9 +268,9 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
{ {
ecma_char_t code_unit; ecma_char_t code_unit;
lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit); lit_read_code_unit_from_hex (current_p + 1, ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH, &code_unit);
current_p += 5; current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;
write_p += lit_code_unit_to_utf8 (code_unit, write_p); write_p += lit_code_unit_to_utf8 (code_unit, write_p);
continue; continue;
} }
tests/jerry/regression-test-issue-2200.js
+27
View File
@@ -0,0 +1,27 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
[
// This input caused a buffer overrun,
// see https://github.com/jerryscript-project/jerryscript/issues/2200
'"\\ubad',
// Test similar malformations as well:
'"\\ubad"',
'"\\u',
].forEach(function(badJson) {
try {
JSON.parse(badJson);
} catch (e) {
}
});