Bug#860751: Bug#860695: win32-loader: FTBFS on i386: segmentation fault

2017-04-20 Thread Thomas Dickey 
On Thu, Apr 20, 2017 at 05:11:17PM +0200, Bernhard Übelacker wrote:
> Hello,
> this seems to be the same problem seen in #391051 for regular
> expressions (collect_RE).
> 
> In this bug we overrun the size limit of string_buff (tempbuff._string_buff)
> in function collect_string.
> 
> Attached patch adds a similar check like in #391051 to collect_string.

hmm - upstream mawk makes 7 checks like this in scan.c

start here:

https://github.com/ThomasDickey/mawk-snapshots/blob/master/scan.c#L72

-- 
Thomas E. Dickey 
http://invisible-island.net
ftp://invisible-island.net


signature.asc
Description: Digital signature

Bug#860751: Bug#860695: win32-loader: FTBFS on i386: segmentation fault

2017-04-20 Thread Bernhard Übelacker 
Hello,
this seems to be the same problem seen in #391051 for regular
expressions (collect_RE).

In this bug we overrun the size limit of string_buff (tempbuff._string_buff)
in function collect_string.

Attached patch adds a similar check like in #391051 to collect_string.

With that applied the build of win32-loader would fail with this message:
  awk: line 1: regular expression /grub2  ... exceeds implementation size 
limit


Kind regards,
Bernhard



(gdb) print sizeof(tempbuff._string_buff)
$1 = 400
(gdb) watch tempbuff._string_buff[399]
...
Hardware watchpoint 1: tempbuff._string_buff[399]

Old value = 0 '\000'
New value = 100 'd'
0x80004c60 in collect_string () at scan.c:985
985   switch (scan_code[*p++ = next()])
(gdb) bt
#0  0x80004c60 in collect_string () at scan.c:985
#1  yylex () at scan.c:651
#2  0x80002088 in yyparse () at y.tab.c:1735
#3  0x80003f15 in parse () at parse.y:1368
#4  0x8000188c in main (argc=3, argv=0xb274) at main.c:63
From b7bea87e72ee6a72691e1fa54d2a4555c9698026 Mon Sep 17 00:00:00 2001
From: root 
Date: Thu, 20 Apr 2017 16:54:05 +0200
Subject: Do not crash if argument is too long for our buffer

This patch modifies collect_string and is a copy of the
patch added to fix collect_RE in these bugs:
  https://bugs.launchpad.net/bug/23494
  https://bugs.debian.org/391051

Bug-Debian: https://bugs.debian.org/860751
---
 scan.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/scan.c b/scan.c
index ef4df50..e343890 100644
--- a/scan.c
+++ b/scan.c
@@ -982,6 +982,15 @@ collect_string()
int e_flag = 0 ;		 /* on if have an escape char */
 
while (1)
+   {
+  if (p >= string_buff + MIN_SPRINTF - 2)
+  {
+  compile_error(
+ "regular expression /%.10s ..."
+ " exceeds implementation size limit",
+ string_buff) ;
+ mawk_exit(2) ;
+  }
   switch (scan_code[*p++ = next()])
   {
 	 case SC_DQUOTE:	/* done */
@@ -1016,6 +1025,7 @@ collect_string()
 	 default:
 	break ;
   }
+   }
 
 out:
yylval.ptr = (PTR) new_STRING(
-- 
2.11.0