Out-of-bounds Read
sysirq opened this issue · 0 comments
sysirq commented
./mjs -f test.js
When the test.js content is empty, a minimum of 1 byte of memory is allocated:
char *cs_read_file(const char *path, size_t *size) {
FILE *fp;
char *data = NULL;
if ((fp = fopen(path, "rb")) == NULL) {
} else if (fseek(fp, 0, SEEK_END) != 0) {
fclose(fp);
} else {
*size = ftell(fp);
data = (char *) malloc(*size + 1); //
.............................................................................
return data;
}But when the test.js content is processed, skip_spaces_and_comments reads the content of pos[1] :
static void skip_spaces_and_comments(struct pstate *p) {
const char *pos;
do {
pos = p->pos;
while (mjs_is_space(p->pos[0])) {
if (p->pos[0] == '\n') p->line_no++;
p->pos++;
}
if (p->pos[0] == '/' && p->pos[1] == '/') {
while (p->pos[0] != '\0' && p->pos[0] != '\n') p->pos++;
}
if (p->pos[0] == '/' && p->pos[1] == '*') {
p->pos += 2;
while (p->pos[0] != '\0') {
if (p->pos[0] == '\n') p->line_no++;
if (p->pos[0] == '*' && p->pos[1] == '/') {
p->pos += 2;
break;
}
p->pos++;
}
}
} while (pos < p->pos);
}