Prevent invalid pre-parsing data passed in through the API from crashing V8.

src/parser.cc

 // Copyright 2010 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 116 matching lines @@
 
  protected:
 
   enum Mode {
     PARSE_LAZILY,
     PARSE_EAGERLY
   };
 
   // Report syntax error
   void ReportUnexpectedToken(Token::Value token);
+  void ReportInvalidPreparseData(Handle<String> name, bool* ok);
 
   Handle<Script> script_;
   Scanner scanner_;
 
   Scope* top_scope_;
   int with_nesting_level_;
 
   TemporaryScope* temp_scope_;
   Mode mode_;
 
@@ skipping 3109 matching lines @@
     return ReportMessage("unexpected_token_identifier",
                          Vector<const char*>::empty());
   default:
     const char* name = Token::String(token);
     ASSERT(name != NULL);
     ReportMessage("unexpected_token", Vector<const char*>(&name, 1));
   }
 }
 
 
+void Parser::ReportInvalidPreparseData(Handle<String> name, bool* ok) {
+  SmartPointer<char> name_string = name->ToCString(DISALLOW_NULLS);
+  const char* element[1] = { *name_string };
+  ReportMessage("invalid_preparser_data",
+                Vector<const char*>(element, 1));
+  *ok = false;
+}
+
+
 Expression* Parser::ParsePrimaryExpression(bool* ok) {
   // PrimaryExpression ::
   //   'this'
   //   'null'
   //   'true'
   //   'false'
   //   Identifier
   //   Number
   //   String
   //   ArrayLiteral
@@ skipping 527 matching lines @@
     // only be PARSE_LAZILY if the --lazy flag is true.
     bool is_lazily_compiled =
         mode() == PARSE_LAZILY && top_scope_->HasTrivialOuterContext();
 
     int materialized_literal_count;
     int expected_property_count;
     bool only_simple_this_property_assignments;
     Handle<FixedArray> this_property_assignments;
     if (is_lazily_compiled && pre_data() != NULL) {
       FunctionEntry entry = pre_data()->GetFunctionEnd(start_pos);
+      if (!entry.is_valid()) {
+        ReportInvalidPreparseData(name, CHECK_OK);
+      }
       int end_pos = entry.end_pos();
+      if (end_pos <= start_pos) {
+        // End position greater than end of stream is safe, and hard to check.
+        ReportInvalidPreparseData(name, CHECK_OK);
+      }
       Counters::total_preparse_skipped.Increment(end_pos - start_pos);
       scanner_.SeekForward(end_pos);
       materialized_literal_count = entry.literal_count();
       expected_property_count = entry.property_count();
       only_simple_this_property_assignments = false;
       this_property_assignments = Factory::empty_fixed_array();
     } else {
       ParseSourceElements(&body, Token::RBRACE, CHECK_OK);
       materialized_literal_count = temp_scope.materialized_literal_count();
       expected_property_count = temp_scope.expected_property_count();
@@ skipping 1355 matching lines @@
       parser.ParseLazy(script_source, name,
                        start_position, end_position, is_expression);
   return result;
 }
 
 
 #undef NEW
 
 
 } }  // namespace v8::internal