[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gawk] Heap overflow (write) in function make_regexp on malforme
|
From: |
Aharon Robbins |
|
Subject: |
Re: [bug-gawk] Heap overflow (write) in function make_regexp on malformed input |
|
Date: |
Wed, 28 Oct 2015 21:28:54 +0200 |
|
User-agent: |
Heirloom mailx 12.5 6/20/10 |
Hi.
> Date: Sun, 25 Oct 2015 20:44:52 +0100
> From: Hanno B??ck <address@hidden>
> To: address@hidden
> Subject: [bug-gawk] Heap overflow (write) in function make_regexp on
> malformed input
>
> Hi,
>
> The attached file will cause an out of bounds heap write (heap
> overflow) in the function make_regexp.
>
> This is a different bug from the two others I already reported, it
> still happens with the latest git code.
>
> The file just consists of the chars "/\" and a zero byte.
>
> This was found with the fuzzing tool american fuzzy lop.
> --
> Hanno B??ck
Thanks for the report. The following diff fixes the problem by
completely disallowing NUL bytes. It's been applied and pushed.
Thanks,
Arnold
---------------------------------------------------
diff --git a/awkgram.y b/awkgram.y
index 1177160..2592d13 100644
--- a/awkgram.y
+++ b/awkgram.y
@@ -2887,7 +2887,7 @@ again:
0 : work_ring_idx + 1;
cur_char_ring[work_ring_idx] = 0;
}
- if (check_for_bad)
+ if (check_for_bad || *lexptr == '\0')
check_bad_char(*lexptr);
return (int) (unsigned char) *lexptr++;
@@ -2896,7 +2896,7 @@ again:
if (lexeof)
return END_FILE;
if (lexptr && lexptr < lexend) {
- if (check_for_bad)
+ if (check_for_bad || *lexptr == '\0')
check_bad_char(*lexptr);
return ((int) (unsigned char) *lexptr++);
}