Fix bounds check in platform JSON parser.
WTF::Strings are not null-terminated, so this error would cause a single
character to be read past the end of the string, if the string ends in an
unfinished escape sequence.
(This parser is not currently used by any code in blink)
This also adds a test that would have caught this error, if run on an MSAN
bot, and fixes the same code in the DevTools parser. The DevTools parser
would not trigger an out-of-bounds read in the same situation, since it
operates on null-terminated string data.
Also added is the fuzzer which caught the issue in the first place.
BUG=651166
[email protected], [email protected], [email protected], pfeldman
Review URL: https://codereview.chromium.org/2380823002 .
Cr-Original-Commit-Position: refs/heads/master@{#422702}
Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src
Cr-Mirrored-Commit: d6b7b063aaa06b780d5fb5b575531bd757f95c19
diff --git a/lib/Parser_cpp.template b/lib/Parser_cpp.template
index 94fb1a2..a103b82 100644
--- a/lib/Parser_cpp.template
+++ b/lib/Parser_cpp.template
@@ -165,6 +165,8 @@
while (start < end) {
Char c = *start++;
if ('\\' == c) {
+ if (start == end)
+ return false;
c = *start++;
// Make sure the escaped char is valid.
switch (c) {
@@ -338,6 +340,8 @@
output->append(c);
continue;
}
+ if (start == end)
+ return false;
c = *start++;
if (c == 'x') {
