Fix OOB read in JSLexer from invalid continuation sequence

Summary: For the JS source input shown from xxd: ``` 2222 efbb bfef ``` which is two double quotes followed by the UTF-8 Byte Order Mark (BOM): 0xef 0xbb 0xbf followed by the beginning of a second BOM. The second BOM is unterminated, and the bug was that we were using the original start of the end of the directive to check the second BOM instead of the current point in the buffer. Reviewed By: tmikov Differential Revision: D22187723 fbshipit-source-id: 21b4a91b38637a15972c37fbbadf1ca5b8721c4c
gmh5225 · Jun 23, 2020 · e145200 · e145200
1 parent 31e82ef
commit e145200
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/lib/Parser/JSLexer.cpp b/lib/Parser/JSLexer.cpp
@@ -589,8 +589,7 @@ bool JSLexer::isCurrentTokenADirective() {
 
       // Byte-order mark \uFEFF is encoded as: ef bb bf
       case 0xef:
-        if ((unsigned char)curCharPtr_[1] == 0xbb &&
-            (unsigned char)curCharPtr_[2] == 0xbf) {
+        if ((unsigned char)ptr[1] == 0xbb && (unsigned char)ptr[2] == 0xbf) {
           ptr += 3;
           continue;
         } else {

diff --git a/unittests/Parser/JSParserTest.cpp b/unittests/Parser/JSParserTest.cpp
@@ -158,4 +158,15 @@ TEST(JSParserTest, TestRegExp) {
   ASSERT_TRUE(parsed.hasValue());
 }
 
+TEST(JSParserTest, TestUnterminatedBOMInDirective) {
+  Context context;
+  // Begin an unterminated Byte Order Mark (BOM) after the first one.
+  JSParser parser(context, "\"\"\xef\xbb\xbf\xef");
+  auto parsed = parser.parse();
+  ASSERT_FALSE(parsed.hasValue());
+
+  SourceErrorManager &sm = context.getSourceErrorManager();
+  EXPECT_EQ(sm.getErrorCount(), 2);
+}
+
 }; // anonymous namespace