bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gawk] out of bounds heap read in yyerror

From: Aharon Robbins
Subject: Re: [bug-gawk] out of bounds heap read in yyerror
Date: Sun, 11 Oct 2015 20:53:11 +0300
User-agent: Heirloom mailx 12.5 6/20/10 
Hi.

Re this:

> Date: Tue, 22 Sep 2015 10:40:33 +0200
> From: Hanno B?ck <address@hidden>
> To: address@hidden
> Subject: [bug-gawk] out of bounds heap read in yyerror
>
> Hi,
>
> The current git code of gawk has an out of bounds heap read error. This
> can be triggered with the file attached (just three bytes, a newline, a
> { and another newline).
>
> This can be seen with valgrind or address sanitizer.
>
> This is the code piece where this happens (in awkgram.y):
>                         for (; cp != lexptr_begin && *cp != '\n'; --cp)
>
> This was found with american fuzzy lop.

Thanks for the report. Here is the fix, which I have committed
and pushed.

Arnold
----------------------------------------------------
diff --git a/awkgram.y b/awkgram.y
index cb41cf3..1177160 100644
--- a/awkgram.y
+++ b/awkgram.y
@@ -102,8 +102,8 @@ const char *const ruletab[] = {
 static bool in_print = false;  /* lexical scanning kludge for print */
 static int in_parens = 0;      /* lexical scanning kludge for print */
 static int sub_counter = 0;    /* array dimension counter for use in delete */
-static char *lexptr = NULL;            /* pointer to next char during parsing 
*/
-static char *lexend;
+static char *lexptr;           /* pointer to next char during parsing */
+static char *lexend;           /* end of buffer */
 static char *lexptr_begin;     /* keep track of where we were for error msgs */
 static char *lexeme;           /* beginning of lexeme for debugging */
 static bool lexeof;            /* seen EOF for current source? */  
@@ -2111,7 +2111,8 @@ yyerror(const char *m, ...)
                if (thisline == NULL) {
                        cp = lexeme;
                        if (*cp == '\n') {
-                               cp--;
+                               if (cp > lexptr_begin)
+                                       cp--;
                                mesg = _("unexpected newline or end of string");
                        }
                        for (; cp != lexptr_begin && *cp != '\n'; --cp)
@@ -2122,6 +2123,8 @@ yyerror(const char *m, ...)
                }
                /* NL isn't guaranteed */
                bp = lexeme;
+               if (bp < thisline)
+                       bp = thisline + 1;
                while (bp < lexend && *bp && *bp != '\n')
                        bp++;
        } else {
reply via email to
[Prev in Thread] Current Thread [Next in Thread]