On Fri, Jun 24, 2022 at 10:29:02PM -0600, Byron Johnson wrote: > Hello, > > I've attached to this email a patch that fixes a segfault from > ‘expand_user_macro’ so that integer overflows don't bypass the bounds > check. It applies to ‘branch-1.4’.
Thanks for catching a lurking bug! The patch is not quite correct: by using unsigned, you have avoided the overflow to negative that triggered an out-of-bounds memory reference, but you did not prevent overflow where a macro definition of `$4294967297' is identical to a macro definition of `$1' whether or not your patch is applied. Better is to treat all cases of integer overflow as being larger than argc, and expand to an empty string, rather than having aliased expansions to earlier argument numbers, but that requires more than one line of code to do properly. > > Byron > From 1807c3bfca8ecb761f46be149dc3cb1ea2b041d2 Mon Sep 17 00:00:00 2001 > From: Byron Johnson <[email protected]> > Date: Fri, 24 Jun 2022 21:59:35 -0600 > Subject: [PATCH] Fix a macro expansion segfault from unchecked overflow. > > This example reproduces the bug on 1.4 m4's before this fix: > % ~/local/m4/1.4/bin/m4 <<< 'define(`mac'\'', $2028558489387014291456) > mac' > /home/bairyn/local/m4/1.4/bin/m4: internal error detected; please > report this bug to <[email protected]>: Segmentation fault That bug is ANCIENT! It is still present in commit bd11691d (ie, the very first git commit matching the release of 1.4 in Nov 1994); I have no access to sources specific to earlier release versions to know when the GNU extension of supporting $10 as the tenth parameter (rather than the first parameter concatenated with literal 0) was actually introduced, but that appears to be where the bug was introduced - perhaps as far back as release 0.50 in Jan 1990. Not every day you get to find and fix a bug that old! -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org _______________________________________________ M4-patches mailing list [email protected] https://lists.gnu.org/mailman/listinfo/m4-patches
