Fix heap-buffer-overflow in ecma_builtin_json_quote (#4143)

Fixes #4129.

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác [email protected]

Author: ossy-szeged

jerry-core/ecma/builtin-objects/ecma-builtin-json.c

@@ -898,11 +898,15 @@ ecma_builtin_json_quote (ecma_stringbuilder_t *builder_p, /**< builder for the r
 #if ENABLED (JERRY_ESNEXT)
     if (lit_is_code_point_utf16_high_surrogate (c))
     {
-      const ecma_char_t next_ch = lit_cesu8_peek_next (str_p);
-      if (lit_is_code_point_utf16_low_surrogate (next_ch))
+      if (str_p < str_end_p)
       {
-        str_p += LIT_UTF8_MAX_BYTES_IN_CODE_UNIT;
-        continue;
+        const ecma_char_t next_ch = lit_cesu8_peek_next (str_p);
+        if (lit_is_code_point_utf16_low_surrogate (next_ch))
+        {
+          str_p += LIT_UTF8_MAX_BYTES_IN_CODE_UNIT;
+          continue;
+        }
+        should_escape = true;
       }
       else
       {

tests/jerry/es.next/regression-test-issue-4129.js

@@ -0,0 +1,15 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+assert(JSON.stringify("\uD834") === '"\\ud834"');