Home Esplora Aiuto
Accedi
SunnyMirror
/
ChakraCore
mirror da https://github.com/microsoft/ChakraCore.git
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

[CVE-2017-0223] Fix right paren location calculation for lambda with assignment expression

We don't calculate correct right paren location when a lambda contains an assignment expression where the assignment rhs is wrapped in parens. Due to the incorrect offset, we overwrite the buffer allocated in ScriptFunction::EnsureSourceString when we try to toString the lambda.
Taylor Woll 9 anni fa
parent
1ae7e3ce95
commit
f74773f452
2 ha cambiato i file con 24 aggiunte e 1 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 1 1
      lib/Parser/Parse.cpp
  2. 23 0
      test/es6/lambda1.js

+ 1 - 1
lib/Parser/Parse.cpp
Vedi File 

@@ -8440,7 +8440,7 @@ ParseNodePtr Parser::ParseExpr(int oplMin,
 
         {
 
             // Parse the operand, make a new node, and look for more
 
             IdentToken token;
 
-            pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token);
 
+            pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token, false, nullptr, plastRParen);
 
 
             // Detect nested function escapes of the pattern "o.f = function(){...}" or "o[s] = function(){...}".
 
             // Doing so in the parser allows us to disable stack-nested-functions in common cases where an escape

+ 23 - 0
test/es6/lambda1.js
Vedi File 

@@ -477,6 +477,29 @@ var tests = [
 
             var l = async() => (async() => ('str'));

             assert.areEqual("async() => (async() => ('str'))", '' + l, "Nested async lambda should be correct");

         }

+    },

+    {

+        name: "Lambda consisting of assignment expression should have correct source string",

+        body: function () {

+            var l = () => a = (123)

+            assert.areEqual('() => a = (123)', '' + l, "Lambda to string should include the parens wrapping the return expression");

+            

+            var l = () => a = (('๏บบ'))

+            assert.areEqual("() => a = (('๏บบ'))", '' + l, "Multi-byte characters should not break the string");

+            

+            var s = "() => a = ('\u{20ac}')";

+            var l = eval(s);

+            assert.areEqual(s, '' + l, "Unicode byte sequences should not break the string");

+            

+            var l = async() => a = ({});

+            assert.areEqual('async() => a = ({})', '' + l, "Async lambda should also be correct");

+            

+            var l = () => a = (() => b = (123))

+            assert.areEqual('() => a = (() => b = (123))', '' + l, "Nested lambda to string should be correct");

+            

+            var l = async() => a = (async() => b = ('str'));

+            assert.areEqual("async() => a = (async() => b = ('str'))", '' + l, "Nested async lambda should be correct");

+        }

     }

 ];