r315785 - [Lex] Avoid out-of-bounds dereference in SkipLineComment

[Alex Lorenz via cfe-commits]

Author: arphaman
Date: Fri Oct 13 18:18:30 2017
New Revision: 315785

URL: http://llvm.org/viewvc/llvm-project?rev=315785&view=rev
Log:
[Lex] Avoid out-of-bounds dereference in SkipLineComment

Credit to OSS-Fuzz for discovery:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3145

rdar://34526482

Modified:
    cfe/trunk/lib/Lex/Lexer.cpp
    cfe/trunk/unittests/Lex/LexerTest.cpp

Modified: cfe/trunk/lib/Lex/Lexer.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Lex/Lexer.cpp?rev=315785&r1=315784&r2=315785&view=diff
==============================================================================
--- cfe/trunk/lib/Lex/Lexer.cpp (original)
+++ cfe/trunk/lib/Lex/Lexer.cpp Fri Oct 13 18:18:30 2017
@@ -2144,7 +2144,8 @@ bool Lexer::SkipLineComment(Token &Resul
     // If we read multiple characters, and one of those characters was a \r or
     // \n, then we had an escaped newline within the comment.  Emit diagnostic
     // unless the next line is also a // comment.
-    if (CurPtr != OldPtr+1 && C != '/' && CurPtr[0] != '/') {
+    if (CurPtr != OldPtr + 1 && C != '/' &&
+        (CurPtr == BufferEnd + 1 || CurPtr[0] != '/')) {
       for (; OldPtr != CurPtr; ++OldPtr)
         if (OldPtr[0] == '\n' || OldPtr[0] == '\r') {
           // Okay, we found a // comment that ends in a newline, if the next

Modified: cfe/trunk/unittests/Lex/LexerTest.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/unittests/Lex/LexerTest.cpp?rev=315785&r1=315784&r2=315785&view=diff
==============================================================================
--- cfe/trunk/unittests/Lex/LexerTest.cpp (original)
+++ cfe/trunk/unittests/Lex/LexerTest.cpp Fri Oct 13 18:18:30 2017
@@ -473,4 +473,9 @@ TEST_F(LexerTest, GetBeginningOfTokenWit
   }
 }
 
+TEST_F(LexerTest, AvoidPastEndOfStringDereference) {
+  std::vector<Token> LexedTokens = Lex("  //  \\\n");
+  EXPECT_TRUE(LexedTokens.empty());
+}
+
 } // anonymous namespace