Fixed heap-buffer-overflow in lexer.

The issue was introduced in 8e2cb4da5e46.

diff --git a/njs/njs_lexer.c b/njs/njs_lexer.c
index ca4e6d2c8a2af37947f90ae32d0998ae19ee5cee..82ddc4a1943069ab5e66c9a22bbd9ce148e1dd6f 100644 (file)
--- a/njs/njs_lexer.c
+++ b/njs/njs_lexer.c
@@ -371,7 +371,7 @@ njs_lexer_token_push(njs_vm_t *vm, njs_lexer_t *lexer)
 {
     njs_lexer_token_t  *lt;
 
-    lt = nxt_mp_alloc(vm->mem_pool, sizeof(njs_lexer_token_t));
+    lt = nxt_mp_zalloc(vm->mem_pool, sizeof(njs_lexer_token_t));
     if (nxt_slow_path(lt == NULL)) {
         return NULL;
     }
@@ -542,23 +542,8 @@ njs_lexer_next_token(njs_lexer_t *lexer, njs_lexer_token_t *lt)
 
             /* Fall through. */
 
-        case NJS_TOKEN_BITWISE_NOT:
-        case NJS_TOKEN_OPEN_PARENTHESIS:
-        case NJS_TOKEN_CLOSE_PARENTHESIS:
-        case NJS_TOKEN_OPEN_BRACKET:
-        case NJS_TOKEN_CLOSE_BRACKET:
-        case NJS_TOKEN_OPEN_BRACE:
-        case NJS_TOKEN_CLOSE_BRACE:
-        case NJS_TOKEN_COMMA:
-        case NJS_TOKEN_COLON:
-        case NJS_TOKEN_SEMICOLON:
-        case NJS_TOKEN_CONDITIONAL:
-            lt->text.length = lexer->start - lt->text.start;
-            return token;
-
-        case NJS_TOKEN_ILLEGAL:
         default:
-            lexer->start--;
+            lt->text.length = lexer->start - lt->text.start;
             return token;
         }
 

diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c
index 35e874cac54360c9f05b29cfcc884999ccead8b0..8db3fe9363246f3c52b630c5d139fd5e66d80400 100644 (file)
--- a/njs/test/njs_unit_test.c
+++ b/njs/test/njs_unit_test.c
@@ -22,6 +22,9 @@ typedef struct {
 
 static njs_unit_test_t  njs_test[] =
 {
+    { nxt_string("@"),
+      nxt_string("SyntaxError: Unexpected token \"@\" in 1") },
+
     { nxt_string("}"),
       nxt_string("SyntaxError: Unexpected token \"}\" in 1") },