From 4318ef1cb398b9b72aea287a815c09cfe68a2b27 Mon Sep 17 00:00:00 2001 From: Alex Lorenz Date: Sat, 14 Oct 2017 01:18:30 +0000 Subject: [PATCH] [Lex] Avoid out-of-bounds dereference in SkipLineComment Credit to OSS-Fuzz for discovery: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3145 rdar://34526482 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@315785 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Lex/Lexer.cpp | 3 ++- unittests/Lex/LexerTest.cpp | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/Lex/Lexer.cpp b/lib/Lex/Lexer.cpp index 0c179c0fb8..b85e0f03dc 100644 --- a/lib/Lex/Lexer.cpp +++ b/lib/Lex/Lexer.cpp @@ -2144,7 +2144,8 @@ bool Lexer::SkipLineComment(Token &Result, const char *CurPtr, // If we read multiple characters, and one of those characters was a \r or // \n, then we had an escaped newline within the comment. Emit diagnostic // unless the next line is also a // comment. - if (CurPtr != OldPtr+1 && C != '/' && CurPtr[0] != '/') { + if (CurPtr != OldPtr + 1 && C != '/' && + (CurPtr == BufferEnd + 1 || CurPtr[0] != '/')) { for (; OldPtr != CurPtr; ++OldPtr) if (OldPtr[0] == '\n' || OldPtr[0] == '\r') { // Okay, we found a // comment that ends in a newline, if the next diff --git a/unittests/Lex/LexerTest.cpp b/unittests/Lex/LexerTest.cpp index 35eee12138..894f8c7fd8 100644 --- a/unittests/Lex/LexerTest.cpp +++ b/unittests/Lex/LexerTest.cpp @@ -473,4 +473,9 @@ TEST_F(LexerTest, GetBeginningOfTokenWithEscapedNewLine) { } } +TEST_F(LexerTest, AvoidPastEndOfStringDereference) { + std::vector LexedTokens = Lex(" // \\\n"); + EXPECT_TRUE(LexedTokens.empty()); +} + } // anonymous namespace -- 2.40.0