From c3e5126b1e8602c2f4ee77c102891d42bd467d98 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Sun, 10 Mar 2019 21:13:26 +0300 Subject: [PATCH] Fixed heap-buffer-overflow in lexer. The issue was introduced in 8e2cb4da5e46. --- njs/njs_lexer.c | 19 ++----------------- njs/test/njs_unit_test.c | 3 +++ 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/njs/njs_lexer.c b/njs/njs_lexer.c index ca4e6d2c..82ddc4a1 100644 --- a/njs/njs_lexer.c +++ b/njs/njs_lexer.c @@ -371,7 +371,7 @@ njs_lexer_token_push(njs_vm_t *vm, njs_lexer_t *lexer) { njs_lexer_token_t *lt; - lt = nxt_mp_alloc(vm->mem_pool, sizeof(njs_lexer_token_t)); + lt = nxt_mp_zalloc(vm->mem_pool, sizeof(njs_lexer_token_t)); if (nxt_slow_path(lt == NULL)) { return NULL; } @@ -542,23 +542,8 @@ njs_lexer_next_token(njs_lexer_t *lexer, njs_lexer_token_t *lt) /* Fall through. */ - case NJS_TOKEN_BITWISE_NOT: - case NJS_TOKEN_OPEN_PARENTHESIS: - case NJS_TOKEN_CLOSE_PARENTHESIS: - case NJS_TOKEN_OPEN_BRACKET: - case NJS_TOKEN_CLOSE_BRACKET: - case NJS_TOKEN_OPEN_BRACE: - case NJS_TOKEN_CLOSE_BRACE: - case NJS_TOKEN_COMMA: - case NJS_TOKEN_COLON: - case NJS_TOKEN_SEMICOLON: - case NJS_TOKEN_CONDITIONAL: - lt->text.length = lexer->start - lt->text.start; - return token; - - case NJS_TOKEN_ILLEGAL: default: - lexer->start--; + lt->text.length = lexer->start - lt->text.start; return token; } diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c index 35e874ca..8db3fe93 100644 --- a/njs/test/njs_unit_test.c +++ b/njs/test/njs_unit_test.c @@ -22,6 +22,9 @@ typedef struct { static njs_unit_test_t njs_test[] = { + { nxt_string("@"), + nxt_string("SyntaxError: Unexpected token \"@\" in 1") }, + { nxt_string("}"), nxt_string("SyntaxError: Unexpected token \"}\" in 1") }, -- 2.47.3