| commit | 76ec8e73db16f4cf1453a142d03bcc74d528f72f | |
| author | Philipp Thomas <pepys@users.sourceforge.net> | |
| Wed, 21 May 2008 15:53:21 +0000 (21 08:53 -0700) | ||
| committer | H. Peter Anvin <hpa@zytor.com> | |
| Wed, 21 May 2008 15:53:21 +0000 (21 08:53 -0700) | ||
| tree | 79f4465d218313a1c72e556db6865955234b6bc3 | treesnapshot (tar.gz zip) |
| parent | 18c3ce251712684954b5896516bdfdf7be775d1b | commitdiff |
Fix buffer overflow in preproc.c (BR 1942146)
Fix buffer overflow in preproc.c due to an incorrect test. In the
code:
for (r = p, s = ourcopy; *r; r++) {
if (r >= p+MAX_KEYWORD)
return tokval->t_type = TOKEN_ID; /* Not a keyword */
*s++ = tolower(*r);
}
*s = '\0';
... the test really needs to be >= since for the pass where there are
equal:
a) a nonzero byte means we have > MAX_KEYWORD characters, and
b) s = ourcopy+MAX_KEYWORD; but if the test doesn't trigger,
we can write one more character *plus* the null byte, overflowing
ourcopy.
Fix buffer overflow in preproc.c due to an incorrect test. In the
code:
for (r = p, s = ourcopy; *r; r++) {
if (r >= p+MAX_KEYWORD)
return tokval->t_type = TOKEN_ID; /* Not a keyword */
*s++ = tolower(*r);
}
*s = '\0';
... the test really needs to be >= since for the pass where there are
equal:
a) a nonzero byte means we have > MAX_KEYWORD characters, and
b) s = ourcopy+MAX_KEYWORD; but if the test doesn't trigger,
we can write one more character *plus* the null byte, overflowing
ourcopy.
| preproc.c | diffblobblamehistory |