Re: [bug-gawk] out of bounds heap read in yyerror

bug-gawk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gawk] out of bounds heap read in yyerror

From:	Aharon Robbins
Subject:	Re: [bug-gawk] out of bounds heap read in yyerror
Date:	Sun, 25 Oct 2015 21:31:20 +0200
User-agent:	Heirloom mailx 12.5 6/20/10

Hi.

> Thanks for the fix.
>
> However using the latest git head code with the fix the same input file
> will trigger another bug and it seems even more severe: a strcpy
> writing several bytes out of bounds.

Interestingly, this only appeared in master. Not sure why. Fix is
below. I've already committed and pushed to the repo.

Thanks,

Arnold
--------------------
diff --git a/awkgram.y b/awkgram.y
index 88f5e20..7805f14 100644
--- a/awkgram.y
+++ b/awkgram.y
@@ -2316,7 +2316,8 @@ yyerror(const char *m, ...)
        count = strlen(mesg) + 1;
        if (lexptr != NULL)
                count += (lexeme - thisline) + 2;
-       emalloc(buf, char *, count, "yyerror");
+       emalloc(buf, char *, count+1, "yyerror");
+       memset(buf, 0, count+1);
 
        bp = buf;

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [bug-gawk] out of bounds heap read in yyerror, Aharon Robbins, 2015/10/11
- Re: [bug-gawk] out of bounds heap read in yyerror, Hanno Böck, 2015/10/25
  - Re: [bug-gawk] out of bounds heap read in yyerror, Aharon Robbins <=

Prev by Date: Re: [bug-gawk] out of bounds heap read in yyerror
Next by Date: [bug-gawk] Heap overflow (write) in function make_regexp on malformed input
Previous by thread: Re: [bug-gawk] out of bounds heap read in yyerror
Next by thread: [bug-gawk] 0 is invalid as number of arguments for tolower
Index(es):
- Date
- Thread