Fix buffer overrun while parsing malformed JSON hex escape sequence #2201
Conversation
martijnthe
force-pushed
the
bugfix-json-hex-escape-buffer-overrun
branch
from
c0e6cf5 to
ade7a0b
Compare
|
@akosthekiss Any idea what's wrong with the sign-off signature? |
|
What do you think about #2194 ? |
|
@zherczeg ah, I had not seen there was already a PR for it. I think #2194 is still not quite correct. I think the comparison should include the count for 1 char for the In my PR I also replaced the various uses of magic number |
OK, the problem is the |
martijnthe
force-pushed
the
bugfix-json-hex-escape-buffer-overrun
branch
from
ade7a0b to
6dab5ea
Compare
|
@martijnthe : Yes you are right, I've missed to increase with 1. I also strongly support the removal of magic constants. But the mistake that was made earlier to fix this kind of issue is still there. I suggest you to modify the condition as in #2194 instead of adding a new one before. |
| if ((end_p - current_p < ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1)) { | ||
| return; | ||
| } | ||
|
|
||
| ecma_char_t code_unit; | ||
| if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit))) |
There was a problem hiding this comment.
You should use ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH here too.
There was a problem hiding this comment.
Oh whoops, I intended to remove that condition there. It would be redundant otherwise.
martijnthe
force-pushed
the
bugfix-json-hex-escape-buffer-overrun
branch
from
6dab5ea to
d97a35f
Compare
|
@robertsipka OK, fixed it. Should I also create a |
| ecma_char_t code_unit; | ||
| if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit))) | ||
| if (!(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit))) |
There was a problem hiding this comment.
You've forgot to replace 4 with ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH here.
There was a problem hiding this comment.
I do not think it is necessary. LGTM (informally) after this minor fix.
| @@ -182,13 +187,17 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument | |||
| } | |||
| case LIT_CHAR_LOWERCASE_U: | |||
| { | |||
| if ((end_p - current_p < ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1)) { | |||
| return; | |||
There was a problem hiding this comment.
what about <= ? Then the +1 is unnecessary.
martijnthe
force-pushed
the
bugfix-json-hex-escape-buffer-overrun
branch
from
d97a35f to
8d53e43
Compare
martijnthe
force-pushed
the
bugfix-json-hex-escape-buffer-overrun
branch
from
8d53e43 to
fb896f9
Compare
Fixes jerryscript-project#2200 JerryScript-DCO-1.0-Signed-off-by: Martijn The [email protected]
|
OK, I also satisfied the linter now and the CI build is ✅ |
…erryscript-project#2201) Fixes jerryscript-project#2200 JerryScript-DCO-1.0-Signed-off-by: Martijn The [email protected]
Fixes #2200
JerryScript-DCO-1.0-Signed-off-by: Martijn The [email protected]