From 67ed86c98aa6ec300fcb025824dd6db91b67d0f1 Mon Sep 17 00:00:00 2001 From: "Matthew \"strager\" Glazar" Date: Fri, 29 Dec 2023 13:01:34 -0500 Subject: [PATCH] fix(fe): fix out-of-bounds read on AArch64 when checking keywords --- src/quick-lint-js/fe/keyword-lexer.cpp | 3 ++- src/quick-lint-js/port/math.h | 5 +++++ test/test-lex.cpp | 4 ++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/quick-lint-js/fe/keyword-lexer.cpp b/src/quick-lint-js/fe/keyword-lexer.cpp index efac3a947b..788367bf38 100644 --- a/src/quick-lint-js/fe/keyword-lexer.cpp +++ b/src/quick-lint-js/fe/keyword-lexer.cpp @@ -7,6 +7,7 @@ #include #include #include +#include #include namespace quick_lint_js { @@ -37,7 +38,7 @@ bool Keyword_Lexer::key_strings_equal(const Char8* a, const Char8* b, #else // TODO(strager): Optimize ARM NEON. // TODO(strager): Optimize WebAssembly SIMD128. - return std::memcmp(a, b, size) == 0; + return std::memcmp(a, b, minimum(maximum_key_length, size)) == 0; #endif } } diff --git a/src/quick-lint-js/port/math.h b/src/quick-lint-js/port/math.h index 268d3104e0..d0d940dbff 100644 --- a/src/quick-lint-js/port/math.h +++ b/src/quick-lint-js/port/math.h @@ -10,6 +10,11 @@ template constexpr auto maximum(T x, U y) { return x < y ? y : x; } + +template +constexpr auto minimum(T x, U y) { + return x < y ? x : y; +} } // quick-lint-js finds bugs in JavaScript programs. diff --git a/test/test-lex.cpp b/test/test-lex.cpp index 08a26b69cf..703932743f 100644 --- a/test/test-lex.cpp +++ b/test/test-lex.cpp @@ -1434,6 +1434,10 @@ TEST_F(Test_Lex, lex_identifiers) { this->check_single_token(u8"ident$with$dollars"_sv, u8"ident$with$dollars"_sv); this->check_single_token(u8"digits0123456789"_sv, u8"digits0123456789"_sv); + + // This identifier used to read the keyword table out of bounds. + this->check_single_token(u8"kedhinkunnunnnunuwnunununnun"_sv, + u8"kedhinkunnunnnunuwnunununnun"_sv); } TEST_F(Test_Lex, ascii_identifier_with_escape_sequence) {