Hello,
this seems to be the same problem seen in #391051 for regular
expressions (collect_RE).
In this bug we overrun the size limit of string_buff (tempbuff._string_buff)
in function collect_string.
Attached patch adds a similar check like in #391051 to collect_string.
With that applied the build of win32-loader would fail with this message:
awk: line 1: regular expression /grub2 ... exceeds implementation size
limit
Kind regards,
Bernhard
(gdb) print sizeof(tempbuff._string_buff)
$1 = 400
(gdb) watch tempbuff._string_buff[399]
...
Hardware watchpoint 1: tempbuff._string_buff[399]
Old value = 0 '\000'
New value = 100 'd'
0x80004c60 in collect_string () at scan.c:985
985 switch (scan_code[*p++ = next()])
(gdb) bt
#0 0x80004c60 in collect_string () at scan.c:985
#1 yylex () at scan.c:651
#2 0x80002088 in yyparse () at y.tab.c:1735
#3 0x80003f15 in parse () at parse.y:1368
#4 0x8000188c in main (argc=3, argv=0xb274) at main.c:63
From b7bea87e72ee6a72691e1fa54d2a4555c9698026 Mon Sep 17 00:00:00 2001
From: root
Date: Thu, 20 Apr 2017 16:54:05 +0200
Subject: Do not crash if argument is too long for our buffer
This patch modifies collect_string and is a copy of the
patch added to fix collect_RE in these bugs:
https://bugs.launchpad.net/bug/23494
https://bugs.debian.org/391051
Bug-Debian: https://bugs.debian.org/860751
---
scan.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/scan.c b/scan.c
index ef4df50..e343890 100644
--- a/scan.c
+++ b/scan.c
@@ -982,6 +982,15 @@ collect_string()
int e_flag = 0 ; /* on if have an escape char */
while (1)
+ {
+ if (p >= string_buff + MIN_SPRINTF - 2)
+ {
+ compile_error(
+ "regular expression /%.10s ..."
+ " exceeds implementation size limit",
+ string_buff) ;
+ mawk_exit(2) ;
+ }
switch (scan_code[*p++ = next()])
{
case SC_DQUOTE: /* done */
@@ -1016,6 +1025,7 @@ collect_string()
default:
break ;
}
+ }
out:
yylval.ptr = (PTR) new_STRING(
--
2.11.0