fix(fe): fix out-of-bounds read on AArch64 when checking keywords

quick-lint · Dec 29, 2023 · 67ed86c · 67ed86c
1 parent 540f7dd
commit 67ed86c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/src/quick-lint-js/fe/keyword-lexer.cpp b/src/quick-lint-js/fe/keyword-lexer.cpp
@@ -7,6 +7,7 @@
 #include <quick-lint-js/fe/keyword-lexer.h>
 #include <quick-lint-js/port/char8.h>
 #include <quick-lint-js/port/have.h>
+#include <quick-lint-js/port/math.h>
 #include <quick-lint-js/port/simd.h>
 
 namespace quick_lint_js {
@@ -37,7 +38,7 @@ bool Keyword_Lexer::key_strings_equal(const Char8* a, const Char8* b,
 #else
   // TODO(strager): Optimize ARM NEON.
   // TODO(strager): Optimize WebAssembly SIMD128.
-  return std::memcmp(a, b, size) == 0;
+  return std::memcmp(a, b, minimum(maximum_key_length, size)) == 0;
 #endif
 }
 }

diff --git a/src/quick-lint-js/port/math.h b/src/quick-lint-js/port/math.h
@@ -10,6 +10,11 @@ template <class T, class U>
 constexpr auto maximum(T x, U y) {
   return x < y ? y : x;
 }
+
+template <class T, class U>
+constexpr auto minimum(T x, U y) {
+  return x < y ? x : y;
+}
 }
 
 // quick-lint-js finds bugs in JavaScript programs.

diff --git a/test/test-lex.cpp b/test/test-lex.cpp
@@ -1434,6 +1434,10 @@ TEST_F(Test_Lex, lex_identifiers) {
   this->check_single_token(u8"ident$with$dollars"_sv,
                            u8"ident$with$dollars"_sv);
   this->check_single_token(u8"digits0123456789"_sv, u8"digits0123456789"_sv);
+
+  // This identifier used to read the keyword table out of bounds.
+  this->check_single_token(u8"kedhinkunnunnnunuwnunununnun"_sv,
+                           u8"kedhinkunnunnnunuwnunununnun"_sv);
 }
 
 TEST_F(Test_Lex, ascii_identifier_with_escape_sequence) {