Fix buffer overrun while parsing malformed JSON hex escape sequence

Fixes #2200

JerryScript-DCO-1.0-Signed-off-by: Martijn Thé [email protected]

Author: Martijn Thé

jerry-core/ecma/builtin-objects/ecma-builtin-json.c

@@ -40,6 +40,11 @@
 #define BUILTIN_UNDERSCORED_ID json
 #include "ecma-builtin-internal-routines-template.inc.h"
 
+/**
+ * The number of expected hexidecimal characters in a hex escape sequence (i.e. \ud801)
+ */
+#define ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH (4)
+
 /** \addtogroup ecma ECMA
  * @{
  *
@@ -182,13 +187,17 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
         }
         case LIT_CHAR_LOWERCASE_U:
         {
+          if ((end_p - current_p < ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1)) {
+            return;
+          }
+
           ecma_char_t code_unit;
           if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))
           {
             return;
           }
 
-          current_p += 5;
+          current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;
 
           lit_utf8_byte_t char_buffer[LIT_UTF8_MAX_BYTES_IN_CODE_UNIT];
           buffer_size += lit_code_unit_to_utf8 (code_unit, char_buffer);
@@ -258,9 +267,9 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
         {
           ecma_char_t code_unit;
 
-          lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit);
+          lit_read_code_unit_from_hex (current_p + 1, ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH, &code_unit);
 
-          current_p += 5;
+          current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;
           write_p += lit_code_unit_to_utf8 (code_unit, write_p);
           continue;
         }

tests/jerry/regression-test-issue-2200.js

@@ -0,0 +1,27 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+[
+  // This input caused a buffer overrun,
+  // see https://github.com/jerryscript-project/jerryscript/issues/2200
+  '"\\ubad',
+  // Test similar malformations as well:
+  '"\\ubad"',
+  '"\\u',
+].forEach(function(badJson) {
+  try {
+    JSON.parse(badJson);
+  } catch (e) {
+  }
+});