cc: prevent symbol buffer overflow

2016-05-16 22:24:39 +02:00 · 2016-05-16 22:24:39 +02:00 · 83f8d59168
commit 83f8d59168
parent 32e23bdb59
1 changed files with 19 additions and 0 deletions
--- a/sys/src/cmd/cc/lex.c
+++ b/sys/src/cmd/cc/lex.c
@ -734,6 +734,8 @@ talph:
 	 * prefix has been stored
 	 */
 	for(;;) {
+		if(cp >= &symb[NSYMB-UTFmax-1])
+			goto toolong;
 		if(c >= Runeself) {
 			for(c1=0;;) {
 				cp[c1++] = c;
@ -782,6 +784,8 @@ tnum:
 	if(c != '0') {
 		c1 |= Numdec;
 		for(;;) {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			if(isdigit(c))
@ -793,6 +797,8 @@ tnum:
 	c = GETC();
 	if(c == 'x' || c == 'X')
 		for(;;) {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			if(isdigit(c))
@ -809,6 +815,8 @@ tnum:
 		goto dc;
 	for(;;) {
 		if(c >= '0' && c <= '7') {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			continue;
@ -880,6 +888,8 @@ nret:

 casedot:
 	for(;;) {
+		if(cp >= &symb[NSYMB-1])
+			goto toolong;
 		*cp++ = c;
 		c = GETC();
 		if(!isdigit(c))
@ -889,6 +899,8 @@ casedot:
 		goto caseout;

 casee:
+	if(cp >= &symb[NSYMB-2])
+		goto toolong;
 	*cp++ = 'e';
 	c = GETC();
 	if(c == '+' || c == '-') {
@ -898,6 +910,8 @@ casee:
 	if(!isdigit(c))
 		yyerror("malformed fp constant exponent");
 	while(isdigit(c)) {
+		if(cp >= &symb[NSYMB-1])
+			goto toolong;
 		*cp++ = c;
 		c = GETC();
 	}
@ -921,6 +935,11 @@ caseout:
 	if(c1 & Numflt)
 		return LFCONST;
 	return LDCONST;
+
+toolong:
+	yyerror("token too long: %.*s...", (int)(cp-symb), symb);
+	errorexit();
+	return -1;
 }

 /*