mirrors/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity.git synced 2025-01-23 09:51:57 -05:00
Code Issues Projects Releases Packages Wiki Activity

LibJS: Fix out-of-bounds read when parsing escape sequences

Browse source 
We cannot look at i+1'th character until we verify it's there.
This commit is contained in:
Sergey Bugaev 2020-06-01 16:56:39 +03:00 committed by Andreas Kling
parent 80f671e16c
commit 1274c244d5
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibJS/Token.cpp
View file

@ -146,11 +146,13 @@ String Token::string_value(StringValueStatus& status) const
if (code_point == '{') {
code_point = 0;
do {
while (true) {
if (i + 1 >= m_value.length() - offset)
return encoding_failure(StringValueStatus::MalformedUnicodeEscape);
auto ch = m_value[++i];
if (ch == '}')
break;
if (!isxdigit(ch))
return encoding_failure(StringValueStatus::MalformedUnicodeEscape);
@ -158,8 +160,7 @@ String Token::string_value(StringValueStatus& status) const
if (new_code_point < code_point)
return encoding_failure(StringValueStatus::UnicodeEscapeOverflow);
code_point = new_code_point;
} while (m_value[i + 1] != '}');
++i;
}
} else {
if (i + 3 >= m_value.length() - offset || !isxdigit(code_point))
return encoding_failure(StringValueStatus::MalformedUnicodeEscape);