Fix potential buffer overread in CountNewlines in Scan.cpp

xiaoyinl · xiaoyinl · commit fc1fb6ab2738 · 2018-06-11T04:22:43.000-07:00
cch parameter is ignored if psz is not null-terminated and psz[cch-1] == '\r' and psz[cch] == '\n'.
diff --git a/lib/Parser/Scan.cpp b/lib/Parser/Scan.cpp
@@ -19,11 +19,10 @@ int CountNewlines(LPCOLESTR psz, int cch)
         switch (*psz++)
         {
         case _u('\xD'):
-            if (*psz == _u('\xA'))
+            if (cch != 0 && *psz == _u('\xA'))
             {
                 ++psz;
-                if (0 == cch--)
-                    break;
+                --cch;
             }
             // fall-through
         case _u('\xA'):

Original file line number	Diff line number	Diff line change
`@@ -19,11 +19,10 @@ int CountNewlines(LPCOLESTR psz, int cch)`
`19`	`19`	`switch (*psz++)`
`20`	`20`	`{`
`21`	`21`	`case _u('\xD'):`
`22`		`- if (*psz == _u('\xA'))`
	`22`	`+ if (cch != 0 && *psz == _u('\xA'))`
`23`	`23`	`{`
`24`	`24`	`++psz;`
`25`		`- if (0 == cch--)`
`26`		`- break;`
	`25`	`+ --cch;`
`27`	`26`	`}`
`28`	`27`	`// fall-through`
`29`	`28`	`case _u('\xA'):`