?a, cc: fix buffer overflows in built-in preprocessor (macbody)

author cinap_lenrek <cinap_lenrek@felloff.net>

Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)

committer cinap_lenrek <cinap_lenrek@felloff.net>

Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)
author cinap_lenrek <cinap_lenrek@felloff.net>
Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)
committer cinap_lenrek <cinap_lenrek@felloff.net>
Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)
diff --git a/sys/src/cmd/1a/a.h b/sys/src/cmd/1a/a.h

index f0e2443a20215a387d7210f7737f887431c1bdc1..ff8f11ca394d049cff4822a376314c55a7e71ee9 100644 (file)
--- a/sys/src/cmd/1a/a.h
+++ b/sys/src/cmd/1a/a.h
@@ -156,7 +156,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/2a/a.h b/sys/src/cmd/2a/a.h

index 798b2a1d706eeded46d6631bd357fbefdb966810..65549baf94ee402be9735c15fc926e6febc70326 100644 (file)
--- a/sys/src/cmd/2a/a.h
+++ b/sys/src/cmd/2a/a.h
@@ -157,7 +157,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/5a/a.h b/sys/src/cmd/5a/a.h

index 0e07a1e10e6ffb2de77b68eece52bbc0947f4bfe..8bafbee64cfe45b060a5506178e026c175408951 100644 (file)
--- a/sys/src/cmd/5a/a.h
+++ b/sys/src/cmd/5a/a.h
@@ -137,7 +137,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   maclin(void);
  void   macprag(void);
diff --git a/sys/src/cmd/6a/a.h b/sys/src/cmd/6a/a.h

index 709059056179b5617029eb0fb6b2c4f83e70e843..08c23ee0db0cb3c5ee25508acfa3e153675e1bb3 100644 (file)
--- a/sys/src/cmd/6a/a.h
+++ b/sys/src/cmd/6a/a.h
@@ -151,7 +151,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/7a/a.h b/sys/src/cmd/7a/a.h

index 306a3a28503bcea7fa0f9d4db7fb0117ac295efc..f60e7dac1f6ada9c44c19cc4c32539623509ac8f 100644 (file)
--- a/sys/src/cmd/7a/a.h
+++ b/sys/src/cmd/7a/a.h
@@ -143,7 +143,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   maclin(void);
  void   macprag(void);
diff --git a/sys/src/cmd/8a/a.h b/sys/src/cmd/8a/a.h

index 868031d805070c4afdfdf818e3e3bc259c314233..0bd5cbaf228a8963b0a776586833961cc8e9aa2a 100644 (file)
--- a/sys/src/cmd/8a/a.h
+++ b/sys/src/cmd/8a/a.h
@@ -152,7 +152,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/cc/lex.c b/sys/src/cmd/cc/lex.c

index 5419f26bf8305d0304deaad4bc21dfe73834e110..0fac0c95b4cc5c34fb6d265549abc5b7f5e7a15b 100644 (file)
--- a/sys/src/cmd/cc/lex.c
+++ b/sys/src/cmd/cc/lex.c
@@ -760,7 +760,7 @@ talph:
         if(s->macro) {
                 newio();
                 cp = ionext->b;
-               macexpand(s, cp);
+               macexpand(s, cp, sizeof(ionext->b));
                 pushio();
                 ionext->link = iostack;
                 iostack = ionext;
diff --git a/sys/src/cmd/cc/lexbody b/sys/src/cmd/cc/lexbody

index 2b3134296775dbf219b47a99e608cfa386777dfd..2dcb9696e2d24802827b8ca153c5c5ed73fe7de5 100644 (file)
--- a/sys/src/cmd/cc/lexbody
+++ b/sys/src/cmd/cc/lexbody
@@ -238,7 +238,7 @@ l1:
                 if(s->macro) {
                         newio();
                         cp = ionext->b;
-                       macexpand(s, cp);
+                       macexpand(s, cp, sizeof(ionext->b));
                         pushio();
                         ionext->link = iostack;
                         iostack = ionext;
diff --git a/sys/src/cmd/cc/macbody b/sys/src/cmd/cc/macbody

index 0a921cbb870062c887e95a486ab1a1b4bbf44ad9..ba2fc48824cc3f4031f7ecc2179d709b511daed3 100644 (file)
--- a/sys/src/cmd/cc/macbody
+++ b/sys/src/cmd/cc/macbody
@@ -128,7 +128,11 @@ dodefine(char *cp)
         char *p;
         long l;
  
-       strcpy(symb, cp);
+       strncpy(symb, cp, NSYMB);
+       if(symb[NSYMB-1] != '\0'){
+               yyerror("macro too long: %s", cp);
+               symb[NSYMB-1] = 0;
+       }
         p = strchr(symb, '=');
         if(p) {
                 *p++ = 0;
@@ -376,15 +380,14 @@ bad:
  }
  
  void
-macexpand(Sym *s, char *b)
+macexpand(Sym *s, char *b, int blen)
  {
         char buf[2000];
         int n, l, c, nargs;
-       char *arg[NARG], *cp, *ob, *ecp, dots;
+       char *arg[NARG], *cp, *ob, *eb, *ecp, dots;
  
-       ob = b;
         if(*s->macro == 0) {
-               strcpy(b, s->macro+1);
+               strncpy(b, s->macro+1, blen);
                 if(debug['m'])
                         print("#expand %s %s\n", s->name, ob);
                 return;
@@ -493,8 +496,12 @@ macexpand(Sym *s, char *b)
                 *b = 0;
                 return;
         }
+       ob = b;
+       eb = b + blen-1;
         cp = s->macro+1;
         for(;;) {
+               if(b >= eb)
+                       goto toobig;
                 c = *cp++;
                 if(c == '\n')
                         c = ' ';
@@ -514,8 +521,11 @@ macexpand(Sym *s, char *b)
                 c -= 'a';
                 if(c < 0 || c >= n)
                         continue;
-               strcpy(b, arg[c]);
-               b += strlen(arg[c]);
+               l = strlen(arg[c]);
+               if(b+l > eb)
+                       goto toobig;
+               memmove(b, arg[c], l);
+               b += l;
         }
         *b = 0;
         if(debug['m'])
@@ -551,6 +561,10 @@ macinc(void)
                         break;
                 if(c == '\n')
                         goto bad;
+               if(hp >= &str[STRINGSZ-1]){
+                       yyerror("name too long for #include");
+                       break;
+               }
                 *hp++ = c;
         }
         *hp = 0;
@@ -558,29 +572,28 @@ macinc(void)
         c = getcom();
         if(c != '\n')
                 goto bad;
-
         f = -1;
+       c = 0;
         for(i=0; i<ninclude; i++) {
                 if(i == 0 && c0 == '>')
                         continue;
-               strcpy(symb, include[i]);
-               strcat(symb, "/");
-               if(strcmp(symb, "./") == 0)
-                       symb[0] = 0;
-               strcat(symb, str);
+               c = snprint(symb, NSYMB, "%s/%s", include[i], str)+1;
+               if(strncmp(symb, "./", 2) == 0){
+                       c -= 2;
+                       memmove(symb, symb+2, c);
+               }
                 f = open(symb, 0);
                 if(f >= 0)
                         break;
         }
         if(f < 0)
-               strcpy(symb, str);
-       c = strlen(symb) + 1;
+               c = snprint(symb, NSYMB, "%s", str)+1;
         while(c & 3)
                 c++;
         while(nhunk < c)
                 gethunk();
         hp = hunk;
-       memcpy(hunk, symb, c);
+       memmove(hunk, symb, c);
         nhunk -= c;
         hunk += c;
         newio();
diff --git a/sys/src/cmd/ka/a.h b/sys/src/cmd/ka/a.h

index 5c15ceb1489c775359d436b99e49b10ae4ba4e54..cbac168d7fe156be5478dc0958e3262f192519e8 100644 (file)
--- a/sys/src/cmd/ka/a.h
+++ b/sys/src/cmd/ka/a.h
@@ -136,7 +136,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/qa/a.h b/sys/src/cmd/qa/a.h

index d2a2315577d662166f15611278745256f2d89853..24c3a1766ec0969a27d0117038d3c3aa27b81540 100644 (file)
--- a/sys/src/cmd/qa/a.h
+++ b/sys/src/cmd/qa/a.h
@@ -138,7 +138,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   macprag(void);
  void   maclin(void);
diff --git a/sys/src/cmd/va/a.h b/sys/src/cmd/va/a.h

index 4aef20de4f5fd906a7f19bec429277004a01013a..63bec803845cf363f721505cb9ccfccd5c5cc258 100644 (file)
--- a/sys/src/cmd/va/a.h
+++ b/sys/src/cmd/va/a.h
@@ -136,7 +136,7 @@ Sym*        getsym(void);
  void   domacro(void);
  void   macund(void);
  void   macdef(void);
-void   macexpand(Sym*, char*);
+void   macexpand(Sym*, char*, int);
  void   macinc(void);
  void   maclin(void);
  void   macprag(void);
author	cinap_lenrek <cinap_lenrek@felloff.net>
	Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)
committer	cinap_lenrek <cinap_lenrek@felloff.net>
	Sun, 19 Apr 2020 21:37:05 +0000 (23:37 +0200)
sys/src/cmd/1a/a.h		patch \| blob \| history
sys/src/cmd/2a/a.h		patch \| blob \| history
sys/src/cmd/5a/a.h		patch \| blob \| history
sys/src/cmd/6a/a.h		patch \| blob \| history
sys/src/cmd/7a/a.h		patch \| blob \| history
sys/src/cmd/8a/a.h		patch \| blob \| history
sys/src/cmd/cc/lex.c		patch \| blob \| history
sys/src/cmd/cc/lexbody		patch \| blob \| history
sys/src/cmd/cc/macbody		patch \| blob \| history
sys/src/cmd/ka/a.h		patch \| blob \| history
sys/src/cmd/qa/a.h		patch \| blob \| history
sys/src/cmd/va/a.h		patch \| blob \| history