From 4577a01c688aa0b9a28c69fd89153cc96808a667 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christophe=20Sta=C3=AFesse?= Date: Sun, 5 Oct 2014 13:42:07 +0200 Subject: [PATCH] Fix out of bounds array access on invalid macro arg references A reference to an invalid macro argument (\ not followed by a digit between 1 and 9) will cause an access outside of the bounds of the currentmacroargs array in sym_FindMacroArg(). Macro arg references are processed in two places: In CopyMacroArg(): called when scanning tokens between "", {} and arguments of a macro call. The only problem here is that it accepts \0 as valid and so calls sym_FindMacroArg with a invalid value. In PutMacroArg(): called by the lexer automata when it encounters a token matching \\[0-9]? (in other cases than above). So not only it accepts \0 but also \ alone. Memo: In setuplex(), a rule is defined with a regex composed of up to three ranges of chars and takes the form: [FirstRange] or [FirstRange][SecondRange]? or [FirstRange]([SecondRange][Range]*)? On scanning, when several rules match, the first longuest one is choosen. Regression test: 1) SECTION "HOME", HOME db "\0" 2) SECTION "HOME", HOME db \A 3) SECTION "HOME", HOME db \ --- src/asm/globlex.c | 12 ++++++++---- src/asm/lexer.c | 1 - 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/asm/globlex.c b/src/asm/globlex.c index c26cdc4d..3bb64164 100644 --- a/src/asm/globlex.c +++ b/src/asm/globlex.c @@ -208,10 +208,14 @@ PutMacroArg(char *src, ULONG size) char *s; yyskipbytes(size); - if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) { - yyunputstr(s); + if ((size == 2 && src[1] >= '1' && src[1] <= '9')) { + if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) { + yyunputstr(s); + } else { + yyerror("Macro argument not defined"); + } } else { - yyerror("Macro argument not defined"); + yyerror("Invalid macro argument"); } return (0); } @@ -387,7 +391,7 @@ setuplex(void) id = lex_FloatAlloc(&tMacroArgToken); lex_FloatAddFirstRange(id, '\\', '\\'); - lex_FloatAddSecondRange(id, '0', '9'); + lex_FloatAddSecondRange(id, '1', '9'); id = lex_FloatAlloc(&tMacroUniqueToken); lex_FloatAddFirstRange(id, '\\', '\\'); lex_FloatAddSecondRange(id, '@', '@'); diff --git a/src/asm/lexer.c b/src/asm/lexer.c index ce341ec0..8d6a8a25 100644 --- a/src/asm/lexer.c +++ b/src/asm/lexer.c @@ -437,7 +437,6 @@ CopyMacroArg(char *dest, size_t maxLength, char c) int argNum; switch (c) { - case '0': case '1': case '2': case '3':