shithub: libmujs

Download patch

ref: e01fe424ab94395713d94f46eee57f1af0a279b4
parent: 294a803552de8874390bedd5e3ce1ead703394c1
author: Tor Andersson <[email protected]>
date: Fri Dec 27 12:33:04 EST 2013

Check hex string escapes so we don't read past the end of the string.

--- a/js-lex.c
+++ b/js-lex.c
@@ -294,20 +294,20 @@
 static inline int lexescape(const char **sp)
 {
 	int c = GET();
-	int x, y, z, w;
+	int x = 0;
 
 	switch (c) {
 	case '0': return 0;
 	case 'u':
-		x = tohex(GET());
-		y = tohex(GET());
-		z = tohex(GET());
-		w = tohex(GET());
-		return (x << 12) | (y << 8) | (z << 4) | w;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK() << 12;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK() << 8;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK() << 4;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK();
+		return x;
 	case 'x':
-		x = tohex(GET());
-		y = tohex(GET());
-		return (x << 4) | y;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK() << 4;
+		if (!ishex(PEEK())) return x; else x |= NEXTPEEK();
+		return x;
 	case '\'': return '\'';
 	case '"': return '"';
 	case '\\': return '\\';