CVE-2019-0746

akroshg · pleath · commit b116253c8f54 · 2019-03-07T16:10:12.000-08:00
diff --git a/lib/Runtime/Library/JavascriptString.cpp b/lib/Runtime/Library/JavascriptString.cpp
@@ -3415,6 +3415,7 @@ namespace Js
 
     int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position)
     {
+        Assert(searchLen > 0);
         const char16 searchFirst = searchStr[0];
         uint32 lMatchedJump = searchLen;
         if (jmpTable[searchFirst].shift > 0)
@@ -3423,31 +3424,41 @@ namespace Js
         }
         WCHAR c;
         char16 const * p = inputStr + min(len - searchLen, position);
-        while(p >= inputStr)
+
+        while (true)
         {
+            uint32 remaining = (uint32)(p - inputStr);
+            uint32 backwardOffset = 0;
             // first character match, keep checking
             if (*p == searchFirst)
             {
-                if ( wmemcmp(p, searchStr, searchLen) == 0 )
+                if (wmemcmp(p, searchStr, searchLen) == 0)
                 {
-                    break;
+                    return (int)remaining;
                 }
-                p -= lMatchedJump;
+                backwardOffset = lMatchedJump;
             }
             else
             {
                 c = *p;
-                if ( 0 == ( c & ~0x7f ) && jmpTable[c].shift != 0 )
+                if (0 == (c & ~0x7f) && jmpTable[c].shift != 0)
                 {
-                    p -= jmpTable[c].shift;
+                    backwardOffset = jmpTable[c].shift;
                 }
                 else
                 {
-                    p -= searchLen;
+                    backwardOffset = searchLen;
                 }
             }
+            AssertOrFailFast(backwardOffset > 0);
+            if (backwardOffset > remaining)
+            {
+                break;
+            }
+            p -= backwardOffset;
         }
-        return ((p >= inputStr) ? (int)(p - inputStr) : -1);
+
+        return -1;
     }
 
     bool JavascriptString::BuildLastCharForwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen)

Original file line number	Diff line number	Diff line change
`@@ -3415,6 +3415,7 @@ namespace Js`
`3415`	`3415`
`3416`	`3416`	`int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position)`
`3417`	`3417`	`{`
	`3418`	`+ Assert(searchLen > 0);`
`3418`	`3419`	`const char16 searchFirst = searchStr[0];`
`3419`	`3420`	`uint32 lMatchedJump = searchLen;`
`3420`	`3421`	`if (jmpTable[searchFirst].shift > 0)`
`@@ -3423,31 +3424,41 @@ namespace Js`
`3423`	`3424`	`}`
`3424`	`3425`	`WCHAR c;`
`3425`	`3426`	`char16 const * p = inputStr + min(len - searchLen, position);`
`3426`		`- while(p >= inputStr)`
	`3427`	`+`
	`3428`	`+ while (true)`
`3427`	`3429`	`{`
	`3430`	`+ uint32 remaining = (uint32)(p - inputStr);`
	`3431`	`+ uint32 backwardOffset = 0;`
`3428`	`3432`	`// first character match, keep checking`
`3429`	`3433`	`if (*p == searchFirst)`
`3430`	`3434`	`{`
`3431`		`- if ( wmemcmp(p, searchStr, searchLen) == 0 )`
	`3435`	`+ if (wmemcmp(p, searchStr, searchLen) == 0)`
`3432`	`3436`	`{`
`3433`		`- break;`
	`3437`	`+ return (int)remaining;`
`3434`	`3438`	`}`
`3435`		`- p -= lMatchedJump;`
	`3439`	`+ backwardOffset = lMatchedJump;`
`3436`	`3440`	`}`
`3437`	`3441`	`else`
`3438`	`3442`	`{`
`3439`	`3443`	`c = *p;`
`3440`		`- if ( 0 == ( c & ~0x7f ) && jmpTable[c].shift != 0 )`
	`3444`	`+ if (0 == (c & ~0x7f) && jmpTable[c].shift != 0)`
`3441`	`3445`	`{`
`3442`		`- p -= jmpTable[c].shift;`
	`3446`	`+ backwardOffset = jmpTable[c].shift;`
`3443`	`3447`	`}`
`3444`	`3448`	`else`
`3445`	`3449`	`{`
`3446`		`- p -= searchLen;`
	`3450`	`+ backwardOffset = searchLen;`
`3447`	`3451`	`}`
`3448`	`3452`	`}`
	`3453`	`+ AssertOrFailFast(backwardOffset > 0);`
	`3454`	`+ if (backwardOffset > remaining)`
	`3455`	`+ {`
	`3456`	`+ break;`
	`3457`	`+ }`
	`3458`	`+ p -= backwardOffset;`
`3449`	`3459`	`}`
`3450`		`- return ((p >= inputStr) ? (int)(p - inputStr) : -1);`
	`3460`	`+`
	`3461`	`+ return -1;`
`3451`	`3462`	`}`
`3452`	`3463`
`3453`	`3464`	`bool JavascriptString::BuildLastCharForwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen)`