fix(fe): fix buffer overflow during keyword checking

quick-lint · Feb 25, 2024 · 02a1c89 · 02a1c89
1 parent d010165
commit 02a1c89
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -19,6 +19,9 @@ Semantic Versioning.
 
 * TypeScript: `(): RT<T>=>null` (with no spaces in `>=>`) now parses correctly.
   (Fixed by [vegerot][].)
+* Fixed a read buffer overflow (possibly leading to a crash) when checking
+  whether short identifiers containing Unicode escape sequences are keywords.
+  (x86 and x86_64 only.) (Reported by [Roland Strasser][].)
 
 ## 3.1.0 (2024-01-10)
 

diff --git a/src/quick-lint-js/fe/lex.cpp b/src/quick-lint-js/fe/lex.cpp
@@ -14,6 +14,7 @@
 #include <quick-lint-js/diag/buffering-diag-reporter.h>
 #include <quick-lint-js/diag/diag-list.h>
 #include <quick-lint-js/diag/diagnostic-types.h>
+#include <quick-lint-js/fe/keyword-lexer.h>
 #include <quick-lint-js/fe/lex.h>
 #include <quick-lint-js/fe/token.h>
 #include <quick-lint-js/port/bit.h>
@@ -1832,9 +1833,15 @@ Lexer::Parsed_Identifier Lexer::parse_identifier_slow(
     }
   }
 
+  String8_View normalized_view = normalized.release_to_string_view();
+
+  // Add padding bytes required by Keyword_Lexer. This should not be considered
+  // part of the returned string.
+  normalized.resize(normalized.size() + Keyword_Lexer::padding_size);
+
   return Parsed_Identifier{
       .after = input,
-      .normalized = normalized.release_to_string_view(),
+      .normalized = normalized_view,
       .escape_sequences = escape_sequences,
   };
 }