gbdev/rgbds
1
0
Fork 0
mirror of https://github.com/gbdev/rgbds.git synced 2025-11-20 18:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix out of bounds array access on invalid macro arg references

Browse Source 
A reference to an invalid macro argument (\ not followed by a digit
between 1 and 9) will cause an access outside of the bounds of the
currentmacroargs array in sym_FindMacroArg().

Macro arg references are processed in two places:

In CopyMacroArg(): called when scanning tokens between "", {} and
arguments of a macro call. The only problem here is that it accepts \0
as valid and so calls sym_FindMacroArg with a invalid value.

In PutMacroArg(): called by the lexer automata when it encounters a
token matching \\[0-9]? (in other cases than above). So not only it
accepts \0 but also \ alone.
  Memo: In setuplex(), a rule is defined with a regex composed of up to
    three ranges of chars and takes the form:
      [FirstRange]
      or [FirstRange][SecondRange]?
      or [FirstRange]([SecondRange][Range]*)?
    On scanning, when several rules match, the first longuest one is
    choosen.

Regression test:
1)
SECTION "HOME", HOME
	db "\0"

2)
SECTION "HOME", HOME
	db \A

3)
SECTION "HOME", HOME
	db \
This commit is contained in:
Christophe Staïesse
2014-10-05 13:42:07 +02:00
parent 6758387668
commit 4577a01c68
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/asm/globlex.c
View File

@@ -208,10 +208,14 @@ PutMacroArg(char *src, ULONG size)
char *s; char *s;
yyskipbytes(size); yyskipbytes(size);
if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) { if ((size == 2 && src[1] >= '1' && src[1] <= '9')) {
yyunputstr(s); if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) {
yyunputstr(s);
} else {
yyerror("Macro argument not defined");
}
} else { } else {
yyerror("Macro argument not defined"); yyerror("Invalid macro argument");
} }
return (0); return (0);
} }
@@ -387,7 +391,7 @@ setuplex(void)
id = lex_FloatAlloc(&tMacroArgToken); id = lex_FloatAlloc(&tMacroArgToken);
lex_FloatAddFirstRange(id, '\\', '\\'); lex_FloatAddFirstRange(id, '\\', '\\');
lex_FloatAddSecondRange(id, '0', '9'); lex_FloatAddSecondRange(id, '1', '9');
id = lex_FloatAlloc(&tMacroUniqueToken); id = lex_FloatAlloc(&tMacroUniqueToken);
lex_FloatAddFirstRange(id, '\\', '\\'); lex_FloatAddFirstRange(id, '\\', '\\');
lex_FloatAddSecondRange(id, '@', '@'); lex_FloatAddSecondRange(id, '@', '@');

1
src/asm/lexer.c
View File

@@ -437,7 +437,6 @@ CopyMacroArg(char *dest, size_t maxLength, char c)
int argNum; int argNum;
switch (c) { switch (c) {
case '0':
case '1': case '1':
case '2': case '2':
case '3': case '3':