Fix buffer overrun while parsing malformed JSON hex escape sequence (#2201)

Fixes https://github.com/jerryscript-project/jerryscript/issues/2200 JerryScript-DCO-1.0-Signed-off-by: Martijn The martijn.the@intel.com
2025-12-15 16:29:21 +00:00 · 2018-02-16 09:02:03 +01:00 · 2018-02-16 09:02:03 +01:00 · 3c57698ed8
commit 3c57698ed8
parent d7991ae54c
2 changed files with 42 additions and 5 deletions
--- a/jerry-core/ecma/builtin-objects/ecma-builtin-json.c
+++ b/jerry-core/ecma/builtin-objects/ecma-builtin-json.c
@ -40,6 +40,11 @@
 #define BUILTIN_UNDERSCORED_ID json
 #include "ecma-builtin-internal-routines-template.inc.h"

+/**
+ * The number of expected hexidecimal characters in a hex escape sequence
+ */
+#define ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH (4)
+
 /** \addtogroup ecma ECMA
 * @{
 *
@ -182,13 +187,18 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
        }
        case LIT_CHAR_LOWERCASE_U:
        {
-          ecma_char_t code_unit;
-          if ((end_p - current_p >= 2) && !(lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit)))
+          if ((end_p - current_p <= ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH))
          {
            return;
          }

-          current_p += 5;
+          ecma_char_t code_unit;
+          if (!(lit_read_code_unit_from_hex (current_p + 1, ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH, &code_unit)))
+          {
+            return;
+          }
+
+          current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;

          lit_utf8_byte_t char_buffer[LIT_UTF8_MAX_BYTES_IN_CODE_UNIT];
          buffer_size += lit_code_unit_to_utf8 (code_unit, char_buffer);
@ -258,9 +268,9 @@ ecma_builtin_json_parse_string (ecma_json_token_t *token_p) /**< token argument
        {
          ecma_char_t code_unit;

-          lit_read_code_unit_from_hex (current_p + 1, 4, &code_unit);
+          lit_read_code_unit_from_hex (current_p + 1, ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH, &code_unit);

-          current_p += 5;
+          current_p += ECMA_JSON_HEX_ESCAPE_SEQUENCE_LENGTH + 1;
          write_p += lit_code_unit_to_utf8 (code_unit, write_p);
          continue;
        }
--- a/tests/jerry/regression-test-issue-2200.js
+++ b/tests/jerry/regression-test-issue-2200.js
@ -0,0 +1,27 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+[
+  // This input caused a buffer overrun,
+  // see https://github.com/jerryscript-project/jerryscript/issues/2200
+  '"\\ubad',
+  // Test similar malformations as well:
+  '"\\ubad"',
+  '"\\u',
+].forEach(function(badJson) {
+  try {
+    JSON.parse(badJson);
+  } catch (e) {
+  }
+});