?a, cc: fix buffer overflows in built-in preprocessor (macbody)

add a buffer size argument to macexpand() and check for overflow. check for overflow when parsing #include directives.
2020-04-19 23:37:05 +02:00 · 2020-04-19 23:37:05 +02:00 · 0d59a2358a
commit 0d59a2358a
parent e24bfa4941
12 changed files with 40 additions and 27 deletions
--- a/sys/src/cmd/1a/a.h
+++ b/sys/src/cmd/1a/a.h
@ -156,7 +156,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/2a/a.h
+++ b/sys/src/cmd/2a/a.h
@ -157,7 +157,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/5a/a.h
+++ b/sys/src/cmd/5a/a.h
@ -137,7 +137,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	maclin(void);
 void	macprag(void);
--- a/sys/src/cmd/6a/a.h
+++ b/sys/src/cmd/6a/a.h
@ -151,7 +151,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/7a/a.h
+++ b/sys/src/cmd/7a/a.h
@ -143,7 +143,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	maclin(void);
 void	macprag(void);
--- a/sys/src/cmd/8a/a.h
+++ b/sys/src/cmd/8a/a.h
@ -152,7 +152,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/cc/lex.c
+++ b/sys/src/cmd/cc/lex.c
@ -760,7 +760,7 @@ talph:
 	if(s->macro) {
 		newio();
 		cp = ionext->b;
-		macexpand(s, cp);
+		macexpand(s, cp, sizeof(ionext->b));
 		pushio();
 		ionext->link = iostack;
 		iostack = ionext;
--- a/sys/src/cmd/cc/lexbody
+++ b/sys/src/cmd/cc/lexbody
@ -238,7 +238,7 @@ l1:
 		if(s->macro) {
 			newio();
 			cp = ionext->b;
-			macexpand(s, cp);
+			macexpand(s, cp, sizeof(ionext->b));
 			pushio();
 			ionext->link = iostack;
 			iostack = ionext;
--- a/sys/src/cmd/cc/macbody
+++ b/sys/src/cmd/cc/macbody
@ -128,7 +128,11 @@ dodefine(char *cp)
 	char *p;
 	long l;
-	strcpy(symb, cp);
+	strncpy(symb, cp, NSYMB);
 	if(symb[NSYMB-1] != '\0'){
 		yyerror("macro too long: %s", cp);
 		symb[NSYMB-1] = 0;
 	}
 	p = strchr(symb, '=');
 	if(p) {
 		*p++ = 0;
@ -376,15 +380,14 @@ bad:
 }
 void
-macexpand(Sym *s, char *b)
+macexpand(Sym *s, char *b, int blen)
 {
 	char buf[2000];
 	int n, l, c, nargs;
-	char *arg[NARG], *cp, *ob, *ecp, dots;
+	char *arg[NARG], *cp, *ob, *eb, *ecp, dots;
 	ob = b;
 	if(*s->macro == 0) {
-		strcpy(b, s->macro+1);
+		strncpy(b, s->macro+1, blen);
 		if(debug['m'])
 			print("#expand %s %s\n", s->name, ob);
 		return;
@ -493,8 +496,12 @@ macexpand(Sym *s, char *b)
 		*b = 0;
 		return;
 	}
 	ob = b;
 	eb = b + blen-1;
 	cp = s->macro+1;
 	for(;;) {
 		if(b >= eb)
 			goto toobig;
 		c = *cp++;
 		if(c == '\n')
 			c = ' ';
@ -514,8 +521,11 @@ macexpand(Sym *s, char *b)
 		c -= 'a';
 		if(c < 0 || c >= n)
 			continue;
-		strcpy(b, arg[c]);
+		l = strlen(arg[c]);
-		b += strlen(arg[c]);
+		if(b+l > eb)
 			goto toobig;
 		memmove(b, arg[c], l);
 		b += l;
 	}
 	*b = 0;
 	if(debug['m'])
@ -551,6 +561,10 @@ macinc(void)
 			break;
 		if(c == '\n')
 			goto bad;
 		if(hp >= &str[STRINGSZ-1]){
 			yyerror("name too long for #include");
 			break;
 		}
 		*hp++ = c;
 	}
 	*hp = 0;
@ -558,29 +572,28 @@ macinc(void)
 	c = getcom();
 	if(c != '\n')
 		goto bad;
 	f = -1;
 	c = 0;
 	for(i=0; i<ninclude; i++) {
 		if(i == 0 && c0 == '>')
 			continue;
-		strcpy(symb, include[i]);
+		c = snprint(symb, NSYMB, "%s/%s", include[i], str)+1;
-		strcat(symb, "/");
+		if(strncmp(symb, "./", 2) == 0){
-		if(strcmp(symb, "./") == 0)
+			c -= 2;
-			symb[0] = 0;
+			memmove(symb, symb+2, c);
-		strcat(symb, str);
+		}
 		f = open(symb, 0);
 		if(f >= 0)
 			break;
 	}
 	if(f < 0)
-		strcpy(symb, str);
+		c = snprint(symb, NSYMB, "%s", str)+1;
 	c = strlen(symb) + 1;
 	while(c & 3)
 		c++;
 	while(nhunk < c)
 		gethunk();
 	hp = hunk;
-	memcpy(hunk, symb, c);
+	memmove(hunk, symb, c);
 	nhunk -= c;
 	hunk += c;
 	newio();
--- a/sys/src/cmd/ka/a.h
+++ b/sys/src/cmd/ka/a.h
@ -136,7 +136,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/qa/a.h
+++ b/sys/src/cmd/qa/a.h
@ -138,7 +138,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	macprag(void);
 void	maclin(void);
--- a/sys/src/cmd/va/a.h
+++ b/sys/src/cmd/va/a.h
@ -136,7 +136,7 @@ Sym*	getsym(void);
 void	domacro(void);
 void	macund(void);
 void	macdef(void);
-void	macexpand(Sym*, char*);
+void	macexpand(Sym*, char*, int);
 void	macinc(void);
 void	maclin(void);
 void	macprag(void);