Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.bin/make make(1): fix undefined behavior in SubstVarLong



details:   https://anonhg.NetBSD.org/src/rev/6d7a963d11d6
branches:  trunk
changeset: 1017563:6d7a963d11d6
user:      rillig <rillig%NetBSD.org@localhost>
date:      Thu Dec 31 14:10:04 2020 +0000

description:
make(1): fix undefined behavior in SubstVarLong

A memcmp implementation that would check the start and end pointers
first would have detected this possible out-of-bounds memory read.

diffstat:

 usr.bin/make/for.c |  18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)

diffs (68 lines):

diff -r acac89ef14c6 -r 6d7a963d11d6 usr.bin/make/for.c
--- a/usr.bin/make/for.c        Thu Dec 31 13:56:56 2020 +0000
+++ b/usr.bin/make/for.c        Thu Dec 31 14:10:04 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: for.c,v 1.131 2020/12/31 13:56:56 rillig Exp $ */
+/*     $NetBSD: for.c,v 1.132 2020/12/31 14:10:04 rillig Exp $ */
 
 /*
  * Copyright (c) 1992, The Regents of the University of California.
@@ -58,7 +58,7 @@
 #include "make.h"
 
 /*     "@(#)for.c      8.1 (Berkeley) 6/6/93"  */
-MAKE_RCSID("$NetBSD: for.c,v 1.131 2020/12/31 13:56:56 rillig Exp $");
+MAKE_RCSID("$NetBSD: for.c,v 1.132 2020/12/31 14:10:04 rillig Exp $");
 
 static int forLevel = 0;       /* Nesting level */
 
@@ -356,7 +356,8 @@
  * expression like ${i} or ${i:...} or $(i) or $(i:...) with ":Uvalue".
  */
 static void
-SubstVarLong(For *f, const char **pp, const char **inout_mark, char endc)
+SubstVarLong(For *f, const char **pp, const char *bodyEnd, char endc,
+            const char **inout_mark)
 {
        size_t i;
        const char *p = *pp;
@@ -366,7 +367,8 @@
                char *varname = forVar->name;
                size_t varnameLen = forVar->nameLen;
 
-               /* XXX: undefined behavior for p if varname is longer than p? */
+               if (varnameLen >= (size_t)(bodyEnd - p))
+                       continue;
                if (memcmp(p, varname, varnameLen) != 0)
                        continue;
                /* XXX: why test for backslash here? */
@@ -437,16 +439,18 @@
 static void
 ForSubstBody(For *f)
 {
-       const char *p;
+       const char *p, *bodyEnd;
        const char *mark;       /* where the last replacement left off */
 
        Buf_Empty(&f->curBody);
 
        mark = f->body.data;
+       bodyEnd = f->body.data + f->body.len;
        for (p = mark; (p = strchr(p, '$')) != NULL;) {
                if (p[1] == '{' || p[1] == '(') {
                        p += 2;
-                       SubstVarLong(f, &p, &mark, p[-1] == '{' ? '}' : ')');
+                       SubstVarLong(f, &p, bodyEnd, p[-1] == '{' ? '}' : ')',
+                           &mark);
                } else if (p[1] != '\0') {
                        SubstVarShort(f, p + 1, &mark);
                        p += 2;
@@ -454,7 +458,7 @@
                        break;
        }
 
-       Buf_AddBytesBetween(&f->curBody, mark, f->body.data + f->body.len);
+       Buf_AddBytesBetween(&f->curBody, mark, bodyEnd);
 }
 
 /*



Home | Main Index | Thread Index | Old Index