Fix multiple JSON.parse issues

Daniel Balla · Daniel Balla · commit 56719e86597b · 2018-02-01T16:20:36.000+01:00
Fixes #2180, #2192 JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-json.c b/jerry-core/ecma/builtin-objects/ecma-builtin-json.c
@@ -161,6 +161,12 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
       current_p++;
       has_escape_sequence = true;
 
+      /* If there is an escape sequence but there's no escapable character just return */
+      if (current_p >= end_p)
+      {
+        return;
+      }
+
       switch (*current_p)
       {
         case LIT_CHAR_DOUBLE_QUOTE:
@@ -177,8 +183,7 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
         case LIT_CHAR_LOWERCASE_U:
         {
           ecma_char_t code_unit;
-
-          if (!(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))
+          if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))
           {
             return;
           }
diff --git a/tests/jerry/fail/regression-test-issue-2180.js b/tests/jerry/fail/regression-test-issue-2180.js
@@ -0,0 +1,15 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+JSON.parse('"' + '\\');
diff --git a/tests/jerry/fail/regression-test-issue-2192.js b/tests/jerry/fail/regression-test-issue-2192.js
@@ -0,0 +1,15 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+JSON.parse('"' + '\\u');

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,12 @@ ecma_builtin_json_parse_string (ecma_json_token_t token_p) /*< token argument`
`161`	`161`	`current_p++;`
`162`	`162`	`has_escape_sequence = true;`
`163`	`163`
	`164`	`+ /* If there is an escape sequence but there's no escapable character just return */`
	`165`	`+ if (current_p >= end_p)`
	`166`	`+ {`
	`167`	`+ return;`
	`168`	`+ }`
	`169`	`+`
`164`	`170`	`switch (*current_p)`
`165`	`171`	`{`
`166`	`172`	`case LIT_CHAR_DOUBLE_QUOTE:`
`@@ -177,8 +183,7 @@ ecma_builtin_json_parse_string (ecma_json_token_t token_p) /*< token argument`
`177`	`183`	`case LIT_CHAR_LOWERCASE_U:`
`178`	`184`	`{`
`179`	`185`	`ecma_char_t code_unit;`
`180`		`-`
`181`		`- if (!(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))`
	`186`	`+ if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))`
`182`	`187`	`{`
`183`	`188`	`return;`
`184`	`189`	`}`