Hi,
the function libcpp/expr.c:interpret_float_suffix allows its argument LEN to be
0, but in this case it tries to read before the buffer S. It is not a real
issue, except in case of overflow: on VMS with 64bit pointers but 32bit
size_t, the following code:
s[len-1]
is evaluated as
s[0xffffffff]
which is likely (and does) crash cc1.
To avoid this nasty effect, I just added a guard.
Bootstrapped and regtested on i386/GNU linux.
Ok for trunk ?
Tristan.
libcpp/
2012-05-04 Tristan Gingold <ging...@adacore.com>
* expr.c (interpret_float_suffix): Add a guard.
diff --git a/libcpp/expr.c b/libcpp/expr.c
index d56e56a..ca1c3d1 100644
--- a/libcpp/expr.c
+++ b/libcpp/expr.c
@@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len)
}
/* Recognize a fixed-point suffix. */
- switch (s[len-1])
- {
- case 'k': case 'K': flags = CPP_N_ACCUM; break;
- case 'r': case 'R': flags = CPP_N_FRACT; break;
- default: break;
- }
+ if (len != 0)
+ switch (s[len-1])
+ {
+ case 'k': case 'K': flags = CPP_N_ACCUM; break;
+ case 'r': case 'R': flags = CPP_N_FRACT; break;
+ default: break;
+ }
/* Continue processing a fixed-point suffix. The suffix is case
insensitive except for ll or LL. Order is significant. */
