From 76ec8e73db16f4cf1453a142d03bcc74d528f72f Mon Sep 17 00:00:00 2001
From: Philipp Thomas <pepys@users.sourceforge.net>
Date: Wed, 21 May 2008 08:53:21 -0700
Subject: [PATCH] Fix buffer overflow in preproc.c (BR 1942146)

Fix buffer overflow in preproc.c due to an incorrect test.  In the
code:

        for (r = p, s = ourcopy; *r; r++) {
	    if (r >= p+MAX_KEYWORD)
	    	return tokval->t_type = TOKEN_ID; /* Not a keyword */
            *s++ = tolower(*r);
	    }
        *s = '\0';

... the test really needs to be >= since for the pass where there are
equal:

a) a nonzero byte means we have > MAX_KEYWORD characters, and
b) s = ourcopy+MAX_KEYWORD; but if the test doesn't trigger,
   we can write one more character *plus* the null byte, overflowing
   ourcopy.
---
 preproc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/preproc.c b/preproc.c
index 0560bebe..8626cfe8 100644
--- a/preproc.c
+++ b/preproc.c
@@ -1074,7 +1074,7 @@ static int ppscan(void *private_data, struct tokenval *tokval)
         }
 
         for (r = p, s = ourcopy; *r; r++) {
-	    if (r > p+MAX_KEYWORD)
+	    if (r >= p+MAX_KEYWORD)
 		return tokval->t_type = TOKEN_ID; /* Not a keyword */
             *s++ = tolower(*r);
 	}
-- 
2.11.4.GIT