Fix new crash when indicator includes a newline

Fixes new oss-fuzz crash reported in: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43475 This is in new error handling code, which is why it was not reported before.
google · Jan 14, 2022 · 1b8c904 · 1b8c904
1 parent ca65fae
commit 1b8c904
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "json5format"
-version = "0.2.3"
+version = "0.2.4"
 authors = [
   "Rich Kadel <richkadel@google.com>",
   "David Tamas-Parris <davidatp@google.com>",

diff --git a/samples/fuzz_fails_fixed/clusterfuzz-testcase-minimized-fuzz_parse-6642606161920000 b/samples/fuzz_fails_fixed/clusterfuzz-testcase-minimized-fuzz_parse-6642606161920000
@@ -0,0 +1,2 @@
+[
+//                                                                                                                                                                                                       
diff --git a/src/parser.rs b/src/parser.rs
@@ -776,16 +776,23 @@ impl<'parser> Parser<'parser> {
         min_context_len: usize,
         ellipsis: &str,
     ) -> ParserErrorContext {
+        // `indicator_start` is a 0-based char position
+        let indicator_start = self.column_number - 1;
+
+        let error_line_len = self.current_line.chars().count();
+
         let indicator_len = if self.line_number == self.next_line_number {
-            std::cmp::max(self.next_column_number - self.column_number, 1)
+            std::cmp::max(
+                std::cmp::min(
+                    self.next_column_number - self.column_number,
+                    error_line_len - indicator_start,
+                ),
+                1,
+            )
         } else {
             1
         };
 
-        // `indicator_start` is a 0-based char position
-        let indicator_start = self.column_number - 1;
-
-        let error_line_len = self.current_line.chars().count();
         if error_line_len <= max_error_line_len {
             ParserErrorContext::new(self.current_line.to_owned(), indicator_start, indicator_len)
         } else {
@@ -852,7 +859,14 @@ fn trim_error_line_and_indicator(
     assert!(max_error_line_len > ellipsis_len);
     assert!(max_error_line_len < error_line_len);
     assert!(indicator_start <= error_line_len);
-    assert!(indicator_len == 1 || (indicator_start + indicator_len) <= error_line_len);
+    assert!(
+        indicator_len == 1 || (indicator_start + indicator_len) <= error_line_len,
+        "indicator_start={}, indicator_len={}, error_line_len={}\n{}",
+        indicator_start,
+        indicator_len,
+        error_line_len,
+        error_line
+    );
 
     indicator_len = std::cmp::min(indicator_len, max_error_line_len);