[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 5/9] comments.c: Fix heap corruption
From: |
Tim Hentenaar |
Subject: |
[PATCH 5/9] comments.c: Fix heap corruption |
Date: |
Wed, 17 Jun 2015 20:56:01 +0200 |
* comments.c: CHECK_COM_SIZE: Use unsigned type for size
* comments.c: CHECK_COM_SIZE: Add a parameter for the expected size
we're about to write.
* comments.c: Prevent heap corruption via writing past the end of
combuf by adding a size check in places where we're writing to
combuf by looping and incrememnting e_com.
---
ChangeLog | 7 +++++++
regression/TEST | 8 ++++++++
regression/input/combuf-heap-corruption | 1 +
src/comments.c | 18 +++++++++++-------
4 files changed, 27 insertions(+), 7 deletions(-)
create mode 100644 regression/input/combuf-heap-corruption
diff --git a/ChangeLog b/ChangeLog
index 18251a4..6191914 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-06-17 Tim Hentenaar <address@hidden>
+ * comments.c: CHECK_COM_SIZE: Use unsigned type for size
+ * comments.c: CHECK_COM_SIZE: Add a parameter for the expected size
+ we're about to write.
+ * comments.c: Prevent heap corruption via writing past the end of
+ combuf by adding a size check in places where we're writing to
+ combuf by looping and incrememnting e_com.
2015-06-16 Tim Hentenaar <address@hidden>
* Use want_blank instead of copying a space to e_code to avoid
diff --git a/regression/TEST b/regression/TEST
index 3f9b86d..0962de9 100755
--- a/regression/TEST
+++ b/regression/TEST
@@ -432,6 +432,14 @@ then
echo >> $ERR
fi
+# Heap corruption by writing past the end of combuf
+$INDENT -npro -st > /dev/null 2>&1 < input/combuf-heap-corruption
+if [ $? -ne 0 ]
+then
+ echo "ERROR: heap corruption in comments.c" | tee -a $ERR
+ echo >> $ERR
+fi
+
# This ends in a error from indent but it shouldn't coredump.
$INDENT -npro input/bug206785.c -o output/bug206785.c 2>output/bug206785.err
diff --git a/regression/input/combuf-heap-corruption
b/regression/input/combuf-heap-corruption
new file mode 100644
index 0000000..e971f03
--- /dev/null
+++ b/regression/input/combuf-heap-corruption
@@ -0,0 +1 @@
+0000000//
0000000000000000000000000000000000000000000000000000000000000000
\ No newline at end of file
diff --git a/src/comments.c b/src/comments.c
index bf860b7..600614e 100644
--- a/src/comments.c
+++ b/src/comments.c
@@ -32,11 +32,11 @@ RCSTAG_CC ("$Id$");
/** Check the limits of the comment buffer, and expand as neccessary. */
-#define CHECK_COM_SIZE \
- if (e_com >= l_com) \
+#define CHECK_COM_SIZE(X) \
+ if (e_com >= l_com - (X)) \
{ \
- int nsize = l_com - s_com + 400; \
- combuf = (char *) xrealloc (combuf, nsize); \
+ size_t nsize = l_com - s_com + 400 + (X); \
+ combuf = xrealloc (combuf, nsize); \
e_com = combuf + (e_com - s_com) + 1; \
l_com = combuf + nsize - 5; \
s_com = combuf + 1; \
@@ -195,8 +195,8 @@ extern void print_comment(
++line_no;
}
+ CHECK_COM_SIZE(1);
*e_com++ = *buf_ptr++;
- CHECK_COM_SIZE;
} while ((*buf_ptr != '*') && (buf_ptr < buf_end));
/* Make sure we don't go past the end of the buffer */
@@ -471,7 +471,7 @@ extern void print_comment(
while (!had_eof)
{
- CHECK_COM_SIZE;
+ CHECK_COM_SIZE(1);
switch (*buf_ptr)
{
@@ -510,6 +510,7 @@ extern void print_comment(
int tab_width = (settings.tabsize - ((column + found_column -
start_column - 1) %
settings.tabsize));
column += tab_width;
+ CHECK_COM_SIZE(tab_width);
while (tab_width--)
{
*e_com++ = ' ';
@@ -649,6 +650,7 @@ cplus_exit:
}
/* Now insert the ending delimiter */
+ CHECK_COM_SIZE(3);
*e_com++ = '*';
*e_com++ = '/';
*e_com = '\0';
@@ -854,8 +856,9 @@ begin_line:
* user specified -sc.
*/
- if (line_preamble)
+ if (line_preamble && line_preamble_length > 0)
{
+ CHECK_COM_SIZE(line_preamble_length);
(void) memcpy (e_com, line_preamble, line_preamble_length);
e_com += line_preamble_length;
column = start_column + line_preamble_length;
@@ -879,6 +882,7 @@ begin_line:
save_length--;
}
+ CHECK_COM_SIZE(save_length);
(void) memmove (e_com, save_ptr, save_length);
text_on_line = e_com;
e_com += save_length;
--
2.3.6
- [PATCH 0/9] More bugfixes, etc., Tim Hentenaar, 2015/06/17
- [PATCH 1/9] Add regressions mising from upstream, Tim Hentenaar, 2015/06/17
- [PATCH 4/9] scan_profile(): Make sure the buffers are initialized, Tim Hentenaar, 2015/06/17
- [PATCH 2/9] comments.c: Fix print_comment reading past the end of the buffer when reading less than a full comment from stdin., Tim Hentenaar, 2015/06/17
- [PATCH 8/9] -npcs: Fix recognition of function pointers, Tim Hentenaar, 2015/06/17
- [PATCH 6/9] indent.c: Don't force nl between rbrace and comma, Tim Hentenaar, 2015/06/17
- [PATCH 9/9] Add an install target to the regression Makefile, Tim Hentenaar, 2015/06/17
- [PATCH 3/9] Fix several potential memory leaks, Tim Hentenaar, 2015/06/17
- [PATCH 7/9] Don't tab-align comments (-ntac), Tim Hentenaar, 2015/06/17
- [PATCH 5/9] comments.c: Fix heap corruption,
Tim Hentenaar <=