Fixing crash in JSON parser

SAP · Dec 20, 2024 · a5d7ff3 · a5d7ff3
1 parent 9072969
commit a5d7ff3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/js/src/vm/JSONParser.cpp b/js/src/vm/JSONParser.cpp
@@ -382,7 +382,7 @@ JSONToken JSONTokenizer<CharT, ParserT, StringBuilderT>::readString() {
       size_t length = current - start;
       ptrdiff_t offset = start - begin;
       current++;
-      return stringToken<ST>(start, length, taint.safeSubTaint(offset, offset + length));
+      return stringToken<ST>(start, length, mTaint.safeSubTaint(offset, offset + length));
     }
 
     if (*current == '\\') {
@@ -402,7 +402,7 @@ JSONToken JSONTokenizer<CharT, ParserT, StringBuilderT>::readString() {
    */
   StringBuilderT builder(parser->handler.context());
   do {
-    if (start < current && !builder.append(start.get(), current.get(), taint.safeSubTaint(start - begin, current - begin))) {
+    if (start < current && !builder.append(start.get(), current.get(), mTaint.safeSubTaint(start - begin, current - begin))) {
       return token(JSONToken::OOM);
     }
 
@@ -485,7 +485,7 @@ JSONToken JSONTokenizer<CharT, ParserT, StringBuilderT>::readString() {
         return token(JSONToken::Error);
     }
 
-    if (!builder.append(c, taint.atRef(current - 1 - begin))) {
+    if (!builder.append(c, mTaint.atRef(current - 1 - begin))) {
       return token(JSONToken::OOM);
     }
 

diff --git a/js/src/vm/JSONParser.h b/js/src/vm/JSONParser.h
@@ -64,10 +64,10 @@ class MOZ_STACK_CLASS JSONTokenizer {
   CharPtr current;
   const CharPtr begin, end;
 
-  // TaintFox: Reference to the taint information associated with the input string. Can be nullptr
+  // TaintFox: Copy of the taint information associated with the input string. Can be empty
   // since this class may have been constructed from raw character ranges that were never
   // associated with a string instance.
-  const StringTaint& taint;
+  const SafeStringTaint mTaint;
 
   ParserT* parser = nullptr;
 
@@ -77,7 +77,7 @@ class MOZ_STACK_CLASS JSONTokenizer {
         current(current),
         begin(begin),
         end(end),
-        taint(taint),
+        mTaint(taint),
         parser(parser) {
     MOZ_ASSERT(current <= end);
     MOZ_ASSERT(parser);
@@ -93,7 +93,7 @@ class MOZ_STACK_CLASS JSONTokenizer {
 
   JSONTokenizer(JSONTokenizer<CharT, ParserT, StringBuilderT>&& other) noexcept
       : JSONTokenizer(other.sourceStart, other.current, other.begin, other.end,
-                      other.taint, other.parser) {}
+                      other.mTaint, other.parser) {}
 
   JSONTokenizer(const JSONTokenizer<CharT, ParserT, StringBuilderT>& other) =
       delete;