archive-gh-me/jerryscript
1
0
Fork 0
mirror of https://github.com/jerryscript-project/jerryscript.git synced 2025-12-15 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

heap-buffer-overflow in ecma_date_parse_year (#3404)

Browse Source 
If ecma_date_parse_year got an invalid date string, it could overread the input string.
The problem was that we compared the original str_p to str_end_p instead of str_start_p.
Additionally I simplified the parser loop.

Fixes #3388.

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác oszi@inf.u-szeged.hu
This commit is contained in:
Csaba Osztrogonác 2019-12-03 13:42:39 +01:00 committed by Robert Fancsik
parent 31988877b2
commit d31871d7c9
2 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
jerry-core/ecma/builtin-objects/ecma-builtin-date.c
View File

@ -112,13 +112,8 @@ ecma_date_parse_year (const lit_utf8_byte_t **str_p, /**< pointer to the cesu8 s
const lit_utf8_byte_t *str_start_p = *str_p; const lit_utf8_byte_t *str_start_p = *str_p;
int32_t parsed_year = 0; int32_t parsed_year = 0;
while (str_start_p - *str_p <= 6) while ((str_start_p - *str_p < 6) && (str_start_p < str_end_p) && lit_char_is_decimal_digit (*str_start_p))
{ {
if (*str_p >= str_end_p || !lit_char_is_decimal_digit (*str_start_p))
{
break;
}
parsed_year = 10 * parsed_year + *str_start_p - LIT_CHAR_0; parsed_year = 10 * parsed_year + *str_start_p - LIT_CHAR_0;
str_start_p++; str_start_p++;
} }

3
tests/jerry/date-parse.js
View File

@ -70,7 +70,8 @@ var wrongFormats = ["",
"Fri Jan 01 -1 00:00:00 GMT+0000", "Fri Jan 01 -1 00:00:00 GMT+0000",
"Fri Jan 01 -11 00:00:00 GMT+0000", "Fri Jan 01 -11 00:00:00 GMT+0000",
"Fri Jan 01 -111 00:00:00 GMT+0000", "Fri Jan 01 -111 00:00:00 GMT+0000",
"Fri Jan 01 -1234567 00:00:00 GMT+0000"]; "Fri Jan 01 -1234567 00:00:00 GMT+0000",
"Thu Apr 10 1997"];
for (i in wrongFormats) { for (i in wrongFormats) {
var d = Date.parse(wrongFormats[i]); var d = Date.parse(wrongFormats[i]);