From 02a1c8949b4fc1a897afa90dc871eda74d6f9764 Mon Sep 17 00:00:00 2001
From: "Matthew \"strager\" Glazar" <strager.nds@gmail.com>
Date: Sun, 25 Feb 2024 01:29:17 -0500
Subject: [PATCH] fix(fe): fix buffer overflow during keyword checking

---
 docs/CHANGELOG.md            | 3 +++
 src/quick-lint-js/fe/lex.cpp | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index edd93b8219..fd03af559f 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -19,6 +19,9 @@ Semantic Versioning.
 
 * TypeScript: `(): RT<T>=>null` (with no spaces in `>=>`) now parses correctly.
   (Fixed by [vegerot][].)
+* Fixed a read buffer overflow (possibly leading to a crash) when checking
+  whether short identifiers containing Unicode escape sequences are keywords.
+  (x86 and x86_64 only.) (Reported by [Roland Strasser][].)
 
 ## 3.1.0 (2024-01-10)
 
diff --git a/src/quick-lint-js/fe/lex.cpp b/src/quick-lint-js/fe/lex.cpp
index 72c41b7a93..5c5be9a91d 100644
--- a/src/quick-lint-js/fe/lex.cpp
+++ b/src/quick-lint-js/fe/lex.cpp
@@ -14,6 +14,7 @@
 #include <quick-lint-js/diag/buffering-diag-reporter.h>
 #include <quick-lint-js/diag/diag-list.h>
 #include <quick-lint-js/diag/diagnostic-types.h>
+#include <quick-lint-js/fe/keyword-lexer.h>
 #include <quick-lint-js/fe/lex.h>
 #include <quick-lint-js/fe/token.h>
 #include <quick-lint-js/port/bit.h>
@@ -1832,9 +1833,15 @@ Lexer::Parsed_Identifier Lexer::parse_identifier_slow(
     }
   }
 
+  String8_View normalized_view = normalized.release_to_string_view();
+
+  // Add padding bytes required by Keyword_Lexer. This should not be considered
+  // part of the returned string.
+  normalized.resize(normalized.size() + Keyword_Lexer::padding_size);
+
   return Parsed_Identifier{
       .after = input,
-      .normalized = normalized.release_to_string_view(),
+      .normalized = normalized_view,
       .escape_sequences = escape_sequences,
   };
 }