shadowfacts
/
tree-sitter-html
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Prevent out-of-bounds read when deserializing 

We first serialize the total number of tags, then serialize each individual
tag. If we don't have enough space to serialize a particular tag we stop
serializing any remaining tags.

However, this causes an out-of-bounds read when deserializing because there are
less tags than expected. Just bail when there are too many tags to serialize.
This commit is contained in:
Phil Turnbull 2018-08-07 12:44:20 -04:00
parent e541c9b64b
commit 5877d9a30d
No known key found for this signature in database
GPG Key ID: D81B30C00789D262
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/scanner.cc
View File

@ -34,14 +34,14 @@ struct Scanner {
Tag &tag = tags[j];
if (tag.type == CUSTOM) {
unsigned name_length = tag.custom_tag_name.size();
if (name_length > UINT8_MAX) break;
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break;
if (name_length > UINT8_MAX) return 0;
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
buffer[i++] = static_cast<char>(tag.type);
buffer[i++] = name_length;
tag.custom_tag_name.copy(&buffer[i], name_length);
i += name_length;
} else {
if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break;
if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
buffer[i++] = static_cast<char>(tag.type);
}
}