Merge pull request #3 from tree-sitter/fuzzer-fixes

Fix bugs found during fuzzing
This commit is contained in:
Max Brunsfeld 2018-08-29 11:43:01 -07:00 committed by GitHub
commit e7b12d1444
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 28 deletions

View File

@ -2,21 +2,10 @@ language: node_js
sudo: false
node_js:
- "node"
compiler: clang-3.6
node_js: node
env:
- CXX=clang-3.6
addons:
apt:
sources:
- llvm-toolchain-precise-3.6
- ubuntu-toolchain-r-test
packages:
- clang-3.6
- CXX=clang
branches:
only:

View File

@ -26,14 +26,18 @@ struct Scanner {
Scanner() {}
unsigned serialize(char *buffer) {
unsigned i = 0;
unsigned n = tags.size();
std::memcpy(buffer, &n, sizeof(n));
i += sizeof(n);
for (unsigned j = 0; j < n; j++) {
Tag &tag = tags[j];
uint16_t tag_count = tags.size() > UINT16_MAX ? UINT16_MAX : tags.size();
uint16_t serialized_tag_count = 0;
unsigned i = sizeof(tag_count);
std::memcpy(&buffer[i], &tag_count, sizeof(tag_count));
i += sizeof(tag_count);
for (; serialized_tag_count < tag_count; serialized_tag_count++) {
Tag &tag = tags[serialized_tag_count];
if (tag.type == CUSTOM) {
unsigned name_length = tag.custom_tag_name.size();
if (name_length > UINT8_MAX) name_length = UINT8_MAX;
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break;
buffer[i++] = static_cast<char>(tag.type);
buffer[i++] = name_length;
@ -44,6 +48,8 @@ struct Scanner {
buffer[i++] = static_cast<char>(tag.type);
}
}
std::memcpy(&buffer[0], &serialized_tag_count, sizeof(serialized_tag_count));
return i;
}
@ -51,15 +57,20 @@ struct Scanner {
tags.clear();
if (length > 0) {
unsigned i = 0;
unsigned n;
std::memcpy(&n, buffer, sizeof(n));
i += sizeof(n);
tags.resize(n);
for (unsigned j = 0; j < n; j++) {
uint16_t tag_count, serialized_tag_count;
std::memcpy(&serialized_tag_count, &buffer[i], sizeof(serialized_tag_count));
i += sizeof(serialized_tag_count);
std::memcpy(&tag_count, &buffer[i], sizeof(tag_count));
i += sizeof(tag_count);
tags.resize(tag_count);
for (unsigned j = 0; j < serialized_tag_count; j++) {
Tag &tag = tags[j];
tag.type = static_cast<TagType>(buffer[i++]);
if (tag.type == CUSTOM) {
unsigned name_length = buffer[i++];
uint16_t name_length = (uint16_t)buffer[i++];
tag.custom_tag_name.assign(&buffer[i], &buffer[i + name_length]);
i += name_length;
}
@ -202,8 +213,10 @@ struct Scanner {
lexer->advance(lexer, false);
if (lexer->lookahead == '>') {
lexer->advance(lexer, false);
tags.pop_back();
lexer->result_symbol = SELF_CLOSING_TAG_DELIMITER;
if (!tags.empty()) {
tags.pop_back();
lexer->result_symbol = SELF_CLOSING_TAG_DELIMITER;
}
return true;
}
return false;

View File

@ -310,7 +310,13 @@ struct Tag {
TagType type;
string custom_tag_name;
Tag() : type(DIV) {}
// This default constructor is used in the case where there is not enough space
// in the serialization buffer to store all of the tags. In that case, tags
// that cannot be serialized will be treated as having an unknown type. These
// tags will be closed via implicit end tags regardless of the next closing
// tag is encountered.
Tag() : type(END_OF_VOID_TAGS) {}
Tag(TagType type, const string &name) : type(type), custom_tag_name(name) {}
bool operator==(const Tag &other) const {