Skip to content

Fix heap buffer overflow in re_parse_char_class #2352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 28, 2018
Merged

Fix heap buffer overflow in re_parse_char_class #2352

merged 1 commit into from
May 28, 2018

Conversation

rerobika
Copy link
Member

@rerobika rerobika commented May 22, 2018
edited
Loading

This patch fixes #2230 and fixes #2237.
Test cases are added for both issues and also adds new cases which caused the same error.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]

akosthekiss
akosthekiss requested changes May 24, 2018
View reviewed changes
Copy link
Member

@akosthekiss akosthekiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the style issues, the patch looks good.

One comment to the commit message: to get the fixed issues automatically closed when the PR gets merged, all referenced issue numbers must be preceded by a closing keyword as described here: https://help.github.com/articles/closing-issues-using-keywords/#closing-multiple-issues . So, it should read "This patch fixes NNN and fixes MMM."

jerry-core/parser/regexp/re-parser.c Outdated
if (is_range == false && lit_utf8_peek_next (parser_ctx_p->input_curr_p) == LIT_CHAR_MINUS)
if (parser_ctx_p->input_curr_p < parser_ctx_p->input_end_p &&
is_range == false &&
lit_utf8_peek_next (parser_ctx_p->input_curr_p) == LIT_CHAR_MINUS)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The formatting of this condition is out of style. It should be

if (cond1
    && cond2
    && cond3)
{
}

jerry-core/parser/regexp/re-parser.c Outdated
if (is_range == false && lit_utf8_peek_next (parser_ctx_p->input_curr_p) == LIT_CHAR_MINUS)
if (parser_ctx_p->input_curr_p < parser_ctx_p->input_end_p &&
is_range == false &&
lit_utf8_peek_next (parser_ctx_p->input_curr_p) == LIT_CHAR_MINUS)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same style issue

@akosthekiss akosthekiss added the bug Undesired behaviour label May 24, 2018
@rerobika rerobika force-pushed the issue_2230_and_2237 branch from 219bed1 to fcf074b Compare May 25, 2018 09:02
@rerobika
Copy link
Member Author

@akosthekiss Thanks for the review, I've applied your suggestions.

akosthekiss
akosthekiss reviewed May 25, 2018
View reviewed changes
tests/jerry/regression-test-issue-2230.js Outdated

try {
((new RegExp("[\\u0")).exec("u"));
} catch (e) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more note: is it expected that the regex exec throws an exception? In that case we should add an assert (false) after the regex and before the catch IMO. Otherwise the test could pass without checking any assertions.

(same note to all try-catches in both tests)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Also the PR is rebased to the latest master.

@rerobika rerobika force-pushed the issue_2230_and_2237 branch from fcf074b to 8087edd Compare May 25, 2018 09:37
@rerobika
Fix heap buffer overflow in re_parse_char_class
7c3f2bc 
This patch fixes jerryscript-project#2230 and fixes jerryscript-project#2237.
Test cases are added for both issues and also adds new cases which caused the same error.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
@rerobika rerobika force-pushed the issue_2230_and_2237 branch from 8087edd to 7c3f2bc Compare May 25, 2018 10:18
akosthekiss
akosthekiss approved these changes May 25, 2018
View reviewed changes
Copy link
Member

@akosthekiss akosthekiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

LaszloLango
LaszloLango approved these changes May 28, 2018
View reviewed changes
Copy link
Contributor

@LaszloLango LaszloLango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LaszloLango LaszloLango merged commit e6664f6 into jerryscript-project:master May 28, 2018
@rerobika rerobika deleted the issue_2230_and_2237 branch February 28, 2019 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosthekiss akosthekiss akosthekiss approved these changes

@LaszloLango LaszloLango LaszloLango approved these changes

Assignees
No one assigned
Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

heap-buffer-overflow in lit_read_code_unit_from_utf8 heap-buffer-overflow in lit_read_code_unit_from_hex
3 participants
@rerobika @akosthekiss @LaszloLango