test-api.c has an out-of-bounds write (buffer overflow)

[mlite]

Reproducing steps:

1. I use my Stensal SDK (https://stensal.com)
2. build jerryscript with stensal-c
3. Run ./build/tests/unit-test-api

This is what I got:

ok 148343051 148341491 0xfff0e4a8 2
ok construct 148343083 148343163 0xfff11bec 1
ok 148343251 148341491 0xfff0e4b4 0
ok object free callback

DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: OOB Write:writing 1 bytes at 0xfff11570 will corrupt the adjacent data.
DTS_MSG: Diagnostic information:

• The object to-be-written (start:0xfff1156c, size:4 bytes) is allocated at

• file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api.c::881, 10
  

• 0xfff1156c 0xfff1156f
• +------------------------+
• |the object to-be-written|......
• +------------------------+

•                        ^~~~~~~~~~
  

•    the write starts at 0xfff11570 that is right after the object end.
  

• Stack trace (most recent call first):
  -[1] file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api.c::884, 5
  -[2] file:/home/nwang/acore/musl/src/env/__libc_start_main.c::180, 11

[akosthekiss]

@mlite Thanks for the report. It has revealed a bug in the unit tests.

The problem is in tests/unit-core/test-api.c around lines 881-884:

char buff[jerry_get_string_length (parsed_data)]; /// BUG: buff should have +1 to its size if terminating zero will be added later manually
jerry_size_t buff_size = (jerry_size_t) jerry_get_string_length (parsed_data); /// SMELL: jerry_get_string_length is called twice in a row
jerry_string_to_char_buffer (parsed_data, (jerry_char_t *) buff, buff_size);
buff[buff_size] = '\0'; /// BUG(manifested): writing past the end of the buffer