[Tinycc-devel] bugs: global state corruption after setjmp()

[egodust]

Heyas,

Using libtcc in the following way shows up some bugs, the first bug
hides the second bug.

tcc=tcc_new();
tcc_add_file(tcc, "bad.c"); // returns < 0 as expected
tcc_delete(tcc);

tcc=tcc_new(); // <-- fails with ":1: invalid macro name ''"

The global state is left unclean because the error handler will use
setjmp() this will
leave macro_ptr != NULL set to the unget token buffer.

tcc_new() will call tcc_define_symbol() as normal, but it will use the
macro parsing
functions, which rely on macro_ptr, and will fail with: 1: invalid
macro name ''.

tcc_new() should probably use its own setjmp() buffer earlier on so that if
the global parser state is corrupted it can just return NULL, this idea isn't
included in the following patch.

Once the macro_ptr bug is fixed, another similar bug is found,

tcc=tcc_new();
tcc_add_file(tcc, "bad.c"); // returns < 0 as expected
tcc_delete(tcc);

tcc=tcc_new(); <-- fine
tcc_add_file(tcc, "good.c"); // crashes

the compiler for "bad.c" setup local_stack, containing pointers to
symbols that tcc_delete() freed,
tcc_compile() will use functions that rely on local_stack, which will
contain freed pointers
and crash. The simple fix is to free the local_stack structure within
tcc_compile()'s jump target
handler, just like it does for global_stack, so that its freed/NULL again.

I have included the two test files I used, and two patches that fix
the problems.

Kind Regards,
Sam K

The files used:

// bad.c:

void bar()
{
        maybe_an_ident_or_a_label
}
void foo()
{
        bar();
}
int main()
{
        return 0;
}

// good.c
int main()
{
        return 1;
}

freelocalstack.diff
Description: Binary data

fix_macroptr.diff
Description: Binary data