diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-09-24 05:13:03 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-09-24 05:13:03 +0200 |
| commit | bba6d26ca26a60690d50b3fe41a8778abd66cff0 (patch) | |
| tree | a4422c245464ffbbf529163e776790148062a015 /sys/src/cmd/cpp/lex.c | |
| parent | 2b5ab91775b97d9e53b2c92a45164703855029a2 (diff) | |
cpp: fix memory corruption due to input buffer relocation
the dynamic input buffer resize code (fillbuf()) is broken as
the calling code assumes that memory wont relocate. instead
of trying to work out all the cases where this happens, i'm
getting rid of fillbuf() and just read the whole file into
memory in setsource().
the bug could be reproduced with something as simple as:
@{for(i in `{seq 1 10000}){echo $i ', \'; }} | cpp
Diffstat (limited to 'sys/src/cmd/cpp/lex.c')
| -rw-r--r-- | sys/src/cmd/cpp/lex.c | 98 |
1 files changed, 17 insertions, 81 deletions
diff --git a/sys/src/cmd/cpp/lex.c b/sys/src/cmd/cpp/lex.c index 30367c3f7..e90423e93 100644 --- a/sys/src/cmd/cpp/lex.c +++ b/sys/src/cmd/cpp/lex.c @@ -42,7 +42,7 @@ enum state { CC1, CC2, WS1, PLUS1, MINUS1, STAR1, SLASH1, PCT1, SHARP1, CIRC1, GT1, GT2, LT1, LT2, OR1, AND1, ASG1, NOT1, DOTS1, S_SELF=MAXSTATE, S_SELFB, S_EOF, S_NL, S_EOFSTR, - S_STNL, S_COMNL, S_EOFCOM, S_COMMENT, S_EOB, S_WS, S_NAME + S_STNL, S_COMNL, S_EOFCOM, S_COMMENT, S_WS, S_NAME }; int tottok; @@ -271,7 +271,7 @@ expandlex(void) } } } - /* install special cases for ? (trigraphs), \ (splicing), runes, and EOB */ + /* install special cases for ? (trigraphs), \ (splicing), runes */ for (i=0; i<MAXSTATE; i++) { for (j=0; j<0xFF; j++) if (j=='?' || j=='\\' || UTF2(j) || UTF3(j)) { @@ -279,7 +279,6 @@ expandlex(void) bigfsm[j][i] = ~bigfsm[j][i]; bigfsm[j][i] &= ~QBSBIT; } - bigfsm[EOB][i] = ~S_EOB; if (bigfsm[EOFC][i]>=0) bigfsm[EOFC][i] = ~S_EOF; } @@ -313,18 +312,8 @@ gettokens(Tokenrow *trp, int reset) tp = trp->lp; ip = s->inp; - if (reset) { + if (reset) s->lineinc = 0; - if (ip>=s->inl) { /* nothing in buffer */ - s->inl = s->inb; - fillbuf(s); - ip = s->inp = s->inb; - } else if (ip >= s->inb+(3*s->ins/4)) { - memmove(s->inb, ip, 4+s->inl-ip); - s->inl = s->inb+(s->inl-ip); - ip = s->inp = s->inb; - } - } maxp = &trp->bp[trp->max]; runelen = 1; for (;;) { @@ -409,12 +398,6 @@ gettokens(Tokenrow *trp, int reset) runelen = 1; continue; - case S_EOB: - s->inp = ip; - fillbuf(cursource); - state = oldstate; - continue; - case S_EOF: tp->type = END; tp->len = 0; @@ -445,12 +428,7 @@ gettokens(Tokenrow *trp, int reset) state = COM2; ip += runelen; runelen = 1; - if (ip >= s->inb+(7*s->ins/8)) { /* very long comment */ - memmove(tp->t, ip, 4+s->inl-ip); - s->inl -= ip-tp->t; - ip = tp->t+1; - } - continue; + continue; case S_EOFCOM: error(WARNING, "EOF inside comment"); @@ -478,8 +456,6 @@ trigraph(Source *s) { int c; - while (s->inp+2 >= s->inl && fillbuf(s)!=EOF) - ; if (s->inp[1]!='?') return 0; c = 0; @@ -517,8 +493,6 @@ foldline(Source *s) int ncr = 0; recheck: - while (s->inp+1 >= s->inl && fillbuf(s)!=EOF) - ; if (s->inp[ncr+1] == '\r') { /* nonstandardly, ignore CR before line-folding */ ncr++; goto recheck; @@ -531,37 +505,6 @@ recheck: return 0; } -int -fillbuf(Source *s) -{ - int n; - - while((char *)s->inl+s->ins/8 > (char *)s->inb+s->ins) { - int l = s->inl - s->inb; - int p = s->inp - s->inb; - if(l < 0) - error(FATAL, "negative end of input!?"); - if(p < 0) - error(FATAL, "negative input pointer!?"); - /* double the buffer size and try again */ - s->ins *= 2; - s->inb = dorealloc(s->inb, s->ins); - s->inl = s->inb + l; - s->inp = s->inb + p; - } - if (s->fd<0 || (n=read(s->fd, (char *)s->inl, s->ins/8)) <= 0) - n = 0; - if ((*s->inp&0xff) == EOB) /* sentinel character appears in input */ - *s->inp = EOFC; - s->inl += n; - s->inl[0] = s->inl[1]= s->inl[2]= s->inl[3] = EOB; - if (n==0) { - s->inl[0] = s->inl[1]= s->inl[2]= s->inl[3] = EOFC; - return EOF; - } - return 0; -} - /* * Push down to new source of characters. * If fd>0 and str==NULL, then from a file `name'; @@ -571,7 +514,7 @@ Source * setsource(char *name, int fd, char *str) { Source *s = new(Source); - int len; + int n, len; s->line = 1; s->lineinc = 0; @@ -580,32 +523,25 @@ setsource(char *name, int fd, char *str) s->next = cursource; s->ifdepth = 0; cursource = s; - /* slop at right for EOB */ + /* slop at right for EOFC */ if (str) { len = strlen(str); s->inb = domalloc(len+4); - s->inp = s->inb; - strncpy((char *)s->inp, str, len); + strncpy((char *)s->inb, str, len); } else { - Dir *d; - int junk; - ulong length = 0; - d = dirfstat(fd); - if (d != nil) { - length = d->length; - free(d); - } - junk = length; - if (junk<INS) - junk = INS; - s->inb = domalloc((junk)+4); - s->inp = s->inb; len = 0; + s->inb = nil; + for(;;){ + s->inb = dorealloc(s->inb, len + INS); + if (s->fd<0 || (n=read(s->fd, (char *)s->inb + len, INS)) <= 0) + break; + len += n; + } + s->inb = dorealloc(s->inb, len + 4); } - - s->ins = INS; + s->inp = s->inb; s->inl = s->inp+len; - s->inl[0] = s->inl[1] = EOB; + s->inl[0] = s->inl[1] = s->inl[2] = s->inl[3] = EOFC; return s; } |