[libcpp] : Avoid crash in interpret_float_suffix

Message ID	1BC426F9-437D-41CB-9581-47CA0E222A83@adacore.com
State	New
Headers	show Return-Path: <gcc-patches-return-318193-incoming=patchwork.ozlabs.org@gcc.gnu.org> Comment: DKIM? See http://www.dkim.org Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org; h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Received:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:Cc:To:Mime-Version:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To; b=FWLEEf80e5yEnb+hjP3IpEni6JQ+eGifTUVAX7FUWAoRsPSqNH6QMJhdWDhOY9 3xh+FppYSgYJY+klVQ84Gmyn93v6yPNh3jWg7WSDCkNIzpUOv7tEPoGzMgBM/ZLl nct9/jXXVXU9YjbzX5w2izm45qNzx+p83jkQXTB/sdj5M=; From: Tristan Gingold <gingold@adacore.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: [PATCH libcpp]: Avoid crash in interpret_float_suffix Date: Fri, 4 May 2012 14:23:14 +0200 Message-Id: <1BC426F9-437D-41CB-9581-47CA0E222A83@adacore.com> Cc: Tom Tromey <tromey@redhat.com> To: GCC Patches <gcc-patches@gcc.gnu.org> Mime-Version: 1.0 (Apple Message framework v1257) Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org

Message ID

1BC426F9-437D-41CB-9581-47CA0E222A83@adacore.com

State

New

Headers

Comment: DKIM? See http://www.dkim.org
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org;
	h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Received:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:Cc:To:Mime-Version:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To;
	b=FWLEEf80e5yEnb+hjP3IpEni6JQ+eGifTUVAX7FUWAoRsPSqNH6QMJhdWDhOY9
	3xh+FppYSgYJY+klVQ84Gmyn93v6yPNh3jWg7WSDCkNIzpUOv7tEPoGzMgBM/ZLl
	nct9/jXXVXU9YjbzX5w2izm45qNzx+p83jkQXTB/sdj5M=;
From: Tristan Gingold <gingold@adacore.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: [PATCH libcpp]: Avoid crash in interpret_float_suffix
Date: Fri, 4 May 2012 14:23:14 +0200
Message-Id: <1BC426F9-437D-41CB-9581-47CA0E222A83@adacore.com>
Cc: Tom Tromey <tromey@redhat.com>
To: GCC Patches <gcc-patches@gcc.gnu.org>
Mime-Version: 1.0 (Apple Message framework v1257)
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org

Commit Message

Tristan Gingold May 4, 2012, 12:23 p.m. UTC

Hi,

the function libcpp/expr.c:interpret_float_suffix allows its argument LEN to be 0, but in this case it tries to read before the buffer S.  It is not a real issue, except in case of overflow:  on VMS with 64bit pointers but 32bit size_t, the following code:
  s[len-1]
is evaluated as
  s[0xffffffff]
which is likely (and does) crash cc1.

To avoid this nasty effect, I just added a guard.

Bootstrapped and regtested on i386/GNU linux.

Ok for trunk ?

Tristan.

libcpp/
2012-05-04  Tristan Gingold  <gingold@adacore.com>

	* expr.c (interpret_float_suffix): Add a guard.

Comments

Dodji Seketeli May 4, 2012, 2:03 p.m. UTC | #1

Tristan Gingold <gingold@adacore.com> a écrit:

> the function libcpp/expr.c:interpret_float_suffix allows its argument
> LEN to be 0, but in this case it tries to read before the buffer S.
> It is not a real issue, except in case of overflow: on VMS with 64bit
> pointers but 32bit size_t, the following code: s[len-1] is evaluated
> as s[0xffffffff] which is likely (and does) crash cc1.
>
> To avoid this nasty effect, I just added a guard.
>
> Bootstrapped and regtested on i386/GNU linux.
>
> Ok for trunk ?

I can not approve or deny this patch, but for what it's worth, it looks
fine to me.

[...]

> +++ b/libcpp/expr.c
> @@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len)
>      }
>  
>    /* Recognize a fixed-point suffix.  */
> -  switch (s[len-1])
> -    {
> -    case 'k': case 'K': flags = CPP_N_ACCUM; break;
> -    case 'r': case 'R': flags = CPP_N_FRACT; break;
> -    default: break;
> -    }
> +  if (len != 0)
> +    switch (s[len-1])
> +      {
> +      case 'k': case 'K': flags = CPP_N_ACCUM; break;
> +      case 'r': case 'R': flags = CPP_N_FRACT; break;
> +      default: break;
> +      }
>  
>    /* Continue processing a fixed-point suffix.  The suffix is case
>       insensitive except for ll or LL.  Order is significant.  */

Thanks.

Tom Tromey May 8, 2012, 3:39 p.m. UTC | #2

>>>>> "Tristan" == Tristan Gingold <gingold@adacore.com> writes:

Tristan> 2012-05-04  Tristan Gingold  <gingold@adacore.com>
Tristan> 	* expr.c (interpret_float_suffix): Add a guard.

Ok.

Tom

Tristan Gingold May 10, 2012, 8:04 a.m. UTC | #3

On May 8, 2012, at 5:39 PM, Tom Tromey wrote:

>>>>>> "Tristan" == Tristan Gingold <gingold@adacore.com> writes:
> 
> Tristan> 2012-05-04  Tristan Gingold  <gingold@adacore.com>
> Tristan> 	* expr.c (interpret_float_suffix): Add a guard.
> 
> Ok.

Thanks, now committed.

diff --git a/libcpp/expr.c b/libcpp/expr.c
index d56e56a..ca1c3d1 100644
--- a/libcpp/expr.c
+++ b/libcpp/expr.c
@@ -110,12 +110,13 @@  interpret_float_suffix (const uchar *s, size_t len)
     }
 
   /* Recognize a fixed-point suffix.  */
-  switch (s[len-1])
-    {
-    case 'k': case 'K': flags = CPP_N_ACCUM; break;
-    case 'r': case 'R': flags = CPP_N_FRACT; break;
-    default: break;
-    }
+  if (len != 0)
+    switch (s[len-1])
+      {
+      case 'k': case 'K': flags = CPP_N_ACCUM; break;
+      case 'r': case 'R': flags = CPP_N_FRACT; break;
+      default: break;
+      }
 
   /* Continue processing a fixed-point suffix.  The suffix is case
      insensitive except for ll or LL.  Order is significant.  */