From 55b6b1aed7aa3437b7bd315a492d067f6423806e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Csaba=20Osztrogon=C3=A1c?= Date: Mon, 24 Aug 2020 15:01:49 +0200 Subject: [PATCH] Fix memory corruption (bad-free) in ecma_string_pad (#4164) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu --- jerry-core/ecma/base/ecma-helpers-string.c | 5 +++-- tests/jerry/es.next/string-prototype-padding.js | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/jerry-core/ecma/base/ecma-helpers-string.c b/jerry-core/ecma/base/ecma-helpers-string.c index 67b71f387..7f82c2d9c 100644 --- a/jerry-core/ecma/base/ecma-helpers-string.c +++ b/jerry-core/ecma/base/ecma-helpers-string.c @@ -2580,11 +2580,12 @@ ecma_string_pad (ecma_value_t original_string_p, /**< Input ecma string */ uint32_t remaining = fill_len - (prepend_count * filler_length); ECMA_STRING_TO_UTF8_STRING (filler_p, start_p, utf8_str_size); + const lit_utf8_byte_t *temp_start_p = start_p; while (remaining > 0) { - read_size = lit_read_code_unit_from_utf8 (start_p, &ch); + read_size = lit_read_code_unit_from_utf8 (temp_start_p, &ch); ecma_stringbuilder_append_char (&builder, ch); - start_p += read_size; + temp_start_p += read_size; remaining--; } ECMA_FINALIZE_UTF8_STRING (start_p, utf8_str_size); diff --git a/tests/jerry/es.next/string-prototype-padding.js b/tests/jerry/es.next/string-prototype-padding.js index bb84196fc..ef41e6dd3 100644 --- a/tests/jerry/es.next/string-prototype-padding.js +++ b/tests/jerry/es.next/string-prototype-padding.js @@ -17,8 +17,10 @@ var test = "bar" assert(test.padStart("5", "foo") === "fobar") assert(test.padStart(6, "foo") === "foobar") +assert(test.padStart(8, '1234')=== "12341bar") assert(test.padEnd(5, "baz") === "barba") assert(test.padEnd(6, "baz") === "barbaz") +assert(test.padEnd(8, '1234')=== "bar12341") // Check for negative value assert(test.padStart(-5, "foo") === "bar")