I may be missing something obvious here, but it seems that the below
indices should be unsigned. str_table has UCHAR_MAX elements, so it
expects to be indexed by chars > 127.
I'm currently digging through a bunch of segfaults found by American
Fuzzy Lop (afl). I don't think I've come across this in the results yet,
but it caught my eye.
Bounds checks may be necessary for the latter two hunks.
Thoughts?
Index: bc.y
===================================================================
RCS file: /cvs/src/usr.bin/bc/bc.y,v
retrieving revision 1.48
diff -u -p -r1.48 bc.y
--- bc.y 10 Oct 2015 19:28:54 -0000 1.48
+++ bc.y 16 Nov 2015 17:22:05 -0000
@@ -891,7 +891,7 @@ letter_node(char *str)
len = strlen(str);
if (len == 1 && str[0] != '_')
- return cs(str_table[(int)str[0]]);
+ return cs(str_table[(u_char)str[0]]);
else
return lookup(str, len, 'L');
}
@@ -903,7 +903,7 @@ array_node(char *str)
len = strlen(str);
if (len == 1 && str[0] != '_')
- return cs(str_table[(int)str[0] - 'a' + ARRAY_CHAR]);
+ return cs(str_table[(u_char)str[0] - 'a' + ARRAY_CHAR]);
else
return lookup(str, len, 'A');
}
@@ -915,7 +915,7 @@ function_node(char *str)
len = strlen(str);
if (len == 1 && str[0] != '_')
- return cs(str_table[(int)str[0] - 'a' + FUNC_CHAR]);
+ return cs(str_table[(u_char)str[0] - 'a' + FUNC_CHAR]);
else
return lookup(str, len, 'F');
}
