Message ID | 1BC426F9-437D-41CB-9581-47CA0E222A83@adacore.com |
---|---|
State | New |
Headers | show |
Tristan Gingold <gingold@adacore.com> a écrit: > the function libcpp/expr.c:interpret_float_suffix allows its argument > LEN to be 0, but in this case it tries to read before the buffer S. > It is not a real issue, except in case of overflow: on VMS with 64bit > pointers but 32bit size_t, the following code: s[len-1] is evaluated > as s[0xffffffff] which is likely (and does) crash cc1. > > To avoid this nasty effect, I just added a guard. > > Bootstrapped and regtested on i386/GNU linux. > > Ok for trunk ? I can not approve or deny this patch, but for what it's worth, it looks fine to me. [...] > +++ b/libcpp/expr.c > @@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len) > } > > /* Recognize a fixed-point suffix. */ > - switch (s[len-1]) > - { > - case 'k': case 'K': flags = CPP_N_ACCUM; break; > - case 'r': case 'R': flags = CPP_N_FRACT; break; > - default: break; > - } > + if (len != 0) > + switch (s[len-1]) > + { > + case 'k': case 'K': flags = CPP_N_ACCUM; break; > + case 'r': case 'R': flags = CPP_N_FRACT; break; > + default: break; > + } > > /* Continue processing a fixed-point suffix. The suffix is case > insensitive except for ll or LL. Order is significant. */ Thanks.
>>>>> "Tristan" == Tristan Gingold <gingold@adacore.com> writes:
Tristan> 2012-05-04 Tristan Gingold <gingold@adacore.com>
Tristan> * expr.c (interpret_float_suffix): Add a guard.
Ok.
Tom
On May 8, 2012, at 5:39 PM, Tom Tromey wrote: >>>>>> "Tristan" == Tristan Gingold <gingold@adacore.com> writes: > > Tristan> 2012-05-04 Tristan Gingold <gingold@adacore.com> > Tristan> * expr.c (interpret_float_suffix): Add a guard. > > Ok. Thanks, now committed.
diff --git a/libcpp/expr.c b/libcpp/expr.c index d56e56a..ca1c3d1 100644 --- a/libcpp/expr.c +++ b/libcpp/expr.c @@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len) } /* Recognize a fixed-point suffix. */ - switch (s[len-1]) - { - case 'k': case 'K': flags = CPP_N_ACCUM; break; - case 'r': case 'R': flags = CPP_N_FRACT; break; - default: break; - } + if (len != 0) + switch (s[len-1]) + { + case 'k': case 'K': flags = CPP_N_ACCUM; break; + case 'r': case 'R': flags = CPP_N_FRACT; break; + default: break; + } /* Continue processing a fixed-point suffix. The suffix is case insensitive except for ll or LL. Order is significant. */