From 2dfd937d7f2c8d3ceaae5c471d7a2b0a342855b1 Mon Sep 17 00:00:00 2001
From: Vegard Nossum <vegard.nossum@gmail.com>
Date: Sun, 21 Oct 2012 05:51:48 +0200
Subject: [PATCH] Prevent lexer from reading beyond the end of the buffer

On Linux, valgrind complains about the overflow like this:

  Pass 1...
  ==20054== Invalid read of size 1
  ==20054==    at 0x406CDA: yylex (lexer.c:396)
  ==20054==    by 0x40207C: yyparse (asmy.c:2921)
  ==20054==    by 0x4086AF: main (main.c:351)
  ==20054==  Address 0x503a102 is 0 bytes after a block of size 23,538 alloc'd
  ==20054==    at 0x402994D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==20054==    by 0x406411: yy_create_buffer (lexer.c:147)
  ==20054==    by 0x404FE3: fstk_RunInclude (fstack.c:243)
  ==20054==    by 0x4025F5: yyparse (asmy.y:744)
  ==20054==    by 0x4086AF: main (main.c:351)
  ==20054==

This is a bit of a crude fix which simply exits the hashing loop when
we reach the end of the string. We should probably do some kind of
length calculation on the buffer instead.

Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
---
 src/asm/lexer.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/asm/lexer.c b/src/asm/lexer.c
index 5e2c1cb2..ead1ee49 100644
--- a/src/asm/lexer.c
+++ b/src/asm/lexer.c
@@ -392,6 +392,15 @@ scanagain:
 		hash = 0;
 		s = pLexBuffer;
 		while (yyleng < nLexMaxLeng) {
+			/* XXX: Kludge warning! The dereference of s below
+			 * may go beyond the end of the buffer. We use the
+			 * following test to stop that from happening,
+			 * without really understanding what the rest of
+			 * the code is doing. This may not be the correct
+			 * fix! */
+			if (!*s)
+				break;
+
 			yyleng += 1;
 			hash = ((hash << 1) + (toupper(*s))) % LEXHASHSIZE;
 			s += 1;