[CVE-2017-0223] Fix right paren location calculation for lambda with assignment expression

boingoing · boingoing · commit f74773f4520a · 2017-05-10T13:22:57.000-07:00
We don't calculate correct right paren location when a lambda contains an assignment expression where the assignment rhs is wrapped in parens. Due to the incorrect offset, we overwrite the buffer allocated in ScriptFunction::EnsureSourceString when we try to toString the lambda.
diff --git a/lib/Parser/Parse.cpp b/lib/Parser/Parse.cpp
@@ -8440,7 +8440,7 @@ ParseNodePtr Parser::ParseExpr(int oplMin,
         {
             // Parse the operand, make a new node, and look for more
             IdentToken token;
-            pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token);
+            pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token, false, nullptr, plastRParen);
 
             // Detect nested function escapes of the pattern "o.f = function(){...}" or "o[s] = function(){...}".
             // Doing so in the parser allows us to disable stack-nested-functions in common cases where an escape
diff --git a/test/es6/lambda1.js b/test/es6/lambda1.js
@@ -477,6 +477,29 @@ var tests = [
             var l = async() => (async() => ('str'));
             assert.areEqual("async() => (async() => ('str'))", '' + l, "Nested async lambda should be correct");
         }
+    },
+    {
+        name: "Lambda consisting of assignment expression should have correct source string",
+        body: function () {
+            var l = () => a = (123)
+            assert.areEqual('() => a = (123)', '' + l, "Lambda to string should include the parens wrapping the return expression");
+            
+            var l = () => a = (('๏บบ'))
+            assert.areEqual("() => a = (('๏บบ'))", '' + l, "Multi-byte characters should not break the string");
+            
+            var s = "() => a = ('\u{20ac}')";
+            var l = eval(s);
+            assert.areEqual(s, '' + l, "Unicode byte sequences should not break the string");
+            
+            var l = async() => a = ({});
+            assert.areEqual('async() => a = ({})', '' + l, "Async lambda should also be correct");
+            
+            var l = () => a = (() => b = (123))
+            assert.areEqual('() => a = (() => b = (123))', '' + l, "Nested lambda to string should be correct");
+            
+            var l = async() => a = (async() => b = ('str'));
+            assert.areEqual("async() => a = (async() => b = ('str'))", '' + l, "Nested async lambda should be correct");
+        }
     }
 ];
 

Original file line number	Diff line number	Diff line change
`@@ -8440,7 +8440,7 @@ ParseNodePtr Parser::ParseExpr(int oplMin,`
`8440`	`8440`	`{`
`8441`	`8441`	`// Parse the operand, make a new node, and look for more`
`8442`	`8442`	`IdentToken token;`
`8443`		`- pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token);`
	`8443`	`+ pnodeT = ParseExpr<buildAST>(opl, NULL, fAllowIn, FALSE, pNameHint, &hintLength, &hintOffset, &token, false, nullptr, plastRParen);`
`8444`	`8444`
`8445`	`8445`	`// Detect nested function escapes of the pattern "o.f = function(){...}" or "o[s] = function(){...}".`
`8446`	`8446`	`// Doing so in the parser allows us to disable stack-nested-functions in common cases where an escape`