From 1decf5d0d45e8ec6a8a0fc0d4ba640dcc1f2fb13 Mon Sep 17 00:00:00 2001 From: dbrotz <43593771+dbrotz@users.noreply.github.com> Date: Sun, 16 Jun 2019 15:50:56 -0700 Subject: [PATCH] Fix out of bounds array access in lexer If the type char is signed, then in the function yylex_GetFloatMaskAndFloatLen(), *s can have a negative value and be converted to a negative int32_t which is then used as an array index. It should be converted to uint8_t instead to ensure that the value is in the bounds of the tFloatingFirstChar, tFloatingSecondChar, and tFloatingChars arrays. --- src/asm/lexer.c | 6 +++--- test/asm/garbage_char.asm | 1 + test/asm/garbage_char.out | 3 +++ test/asm/garbage_char.out.pipe | 3 +++ 4 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 test/asm/garbage_char.asm create mode 100644 test/asm/garbage_char.out create mode 100644 test/asm/garbage_char.out.pipe diff --git a/src/asm/lexer.c b/src/asm/lexer.c index a98fef81..e47032d3 100644 --- a/src/asm/lexer.c +++ b/src/asm/lexer.c @@ -471,17 +471,17 @@ void yylex_GetFloatMaskAndFloatLen(uint32_t *pnFloatMask, uint32_t *pnFloatLen) char *s = pLexBuffer; uint32_t nOldFloatMask = 0; - uint32_t nFloatMask = tFloatingFirstChar[(int32_t)*s]; + uint32_t nFloatMask = tFloatingFirstChar[(uint8_t)*s]; if (nFloatMask != 0) { s++; nOldFloatMask = nFloatMask; - nFloatMask &= tFloatingSecondChar[(int32_t)*s]; + nFloatMask &= tFloatingSecondChar[(uint8_t)*s]; while (nFloatMask != 0) { s++; nOldFloatMask = nFloatMask; - nFloatMask &= tFloatingChars[(int32_t)*s]; + nFloatMask &= tFloatingChars[(uint8_t)*s]; } } diff --git a/test/asm/garbage_char.asm b/test/asm/garbage_char.asm new file mode 100644 index 00000000..ca5f132c --- /dev/null +++ b/test/asm/garbage_char.asm @@ -0,0 +1 @@ +xÿ \ No newline at end of file diff --git a/test/asm/garbage_char.out b/test/asm/garbage_char.out new file mode 100644 index 00000000..a05e4960 --- /dev/null +++ b/test/asm/garbage_char.out @@ -0,0 +1,3 @@ +ERROR: garbage_char.asm(1): + syntax error +error: Assembly aborted (1 errors)! diff --git a/test/asm/garbage_char.out.pipe b/test/asm/garbage_char.out.pipe new file mode 100644 index 00000000..1ba12ddc --- /dev/null +++ b/test/asm/garbage_char.out.pipe @@ -0,0 +1,3 @@ +ERROR: -(1): + syntax error +error: Assembly aborted (1 errors)!