YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

heap-buffer-overflow in ecma_date_parse_year (#3404)

Browse Source 
If ecma_date_parse_year got an invalid date string, it could overread the input string.
The problem was that we compared the original str_p to str_end_p instead of str_start_p.
Additionally I simplified the parser loop.

Fixes #3388.

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác oszi@inf.u-szeged.hu
This commit is contained in:
Csaba Osztrogonác
2019-12-03 13:42:39 +01:00
committed by Robert Fancsik
parent 31988877b2
commit d31871d7c9
2 changed files with 3 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/builtin-objects/ecma-builtin-date.c
+1 -6
View File
@@ -112,13 +112,8 @@ ecma_date_parse_year (const lit_utf8_byte_t **str_p, /**< pointer to the cesu8 s
const lit_utf8_byte_t *str_start_p = *str_p;
int32_t parsed_year = 0;
while (str_start_p - *str_p <= 6)
while ((str_start_p - *str_p < 6) && (str_start_p < str_end_p) && lit_char_is_decimal_digit (*str_start_p))
{
if (*str_p >= str_end_p || !lit_char_is_decimal_digit (*str_start_p))
{
break;
}
parsed_year = 10 * parsed_year + *str_start_p - LIT_CHAR_0;
str_start_p++;
}