Re: [PATCH libcpp]: Avoid crash in interpret_float_suffix

Dodji Seketeli Fri, 04 May 2012 07:03:50 -0700

Tristan Gingold <ging...@adacore.com> a écrit:

> the function libcpp/expr.c:interpret_float_suffix allows its argument
> LEN to be 0, but in this case it tries to read before the buffer S.
> It is not a real issue, except in case of overflow: on VMS with 64bit
> pointers but 32bit size_t, the following code: s[len-1] is evaluated
> as s[0xffffffff] which is likely (and does) crash cc1.
>
> To avoid this nasty effect, I just added a guard.
>
> Bootstrapped and regtested on i386/GNU linux.
>
> Ok for trunk ?


I can not approve or deny this patch, but for what it's worth, it looks
fine to me.

[...]

> +++ b/libcpp/expr.c
> @@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len)
>      }
>  
>    /* Recognize a fixed-point suffix.  */
> -  switch (s[len-1])
> -    {
> -    case 'k': case 'K': flags = CPP_N_ACCUM; break;
> -    case 'r': case 'R': flags = CPP_N_FRACT; break;
> -    default: break;
> -    }
> +  if (len != 0)
> +    switch (s[len-1])
> +      {
> +      case 'k': case 'K': flags = CPP_N_ACCUM; break;
> +      case 'r': case 'R': flags = CPP_N_FRACT; break;
> +      default: break;
> +      }
>  
>    /* Continue processing a fixed-point suffix.  The suffix is case
>       insensitive except for ll or LL.  Order is significant.  */

Thanks.

-- 
                Dodji

Re: [PATCH libcpp]: Avoid crash in interpret_float_suffix

Reply via email to