From bcb29b6bf8738e391c55b701c816eb03f6592c07 Mon Sep 17 00:00:00 2001 From: Jeff Young Date: Sat, 18 Jul 2020 11:40:56 +0100 Subject: [PATCH] Fix security issue (buffer overrun). --- common/libeval_compiler/libeval_compiler.cpp | 6 +-- include/libeval_compiler/libeval_compiler.h | 51 ++++++++++---------- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/common/libeval_compiler/libeval_compiler.cpp b/common/libeval_compiler/libeval_compiler.cpp index 134a21f4f8..8f31ef6284 100644 --- a/common/libeval_compiler/libeval_compiler.cpp +++ b/common/libeval_compiler/libeval_compiler.cpp @@ -281,7 +281,7 @@ bool COMPILER::lexString( COMPILER::T_TOKEN& aToken ) //printf("STR LIT '%s'\n", (const char *)str.c_str() ); aToken.token = G_STRING; - strcpy( aToken.value.value.str, str.c_str() ); + snprintf( aToken.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", str.c_str() ); m_tokenizer.NextChar( str.length() + 1 ); m_lexerState = LS_DEFAULT; @@ -381,7 +381,7 @@ bool COMPILER::lexDefault( COMPILER::T_TOKEN& aToken ) // VALUE extractNumber(); retval.token = G_VALUE; - strcpy( retval.value.value.str, current.c_str() ); + snprintf( retval.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", current.c_str() ); } else if( ( convertFrom = resolveUnits() ) >= 0 ) { @@ -410,7 +410,7 @@ bool COMPILER::lexDefault( COMPILER::T_TOKEN& aToken ) //printf("id '%s'\n", (const char *) current.c_str() ); fflush( stdout ); retval.token = G_IDENTIFIER; - strcpy( retval.value.value.str, current.c_str() ); + snprintf( retval.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", current.c_str() ); m_tokenizer.NextChar( current.length() ); } else if( m_tokenizer.MatchAhead( "==", []( int c ) -> bool { return c != '='; } ) ) diff --git a/include/libeval_compiler/libeval_compiler.h b/include/libeval_compiler/libeval_compiler.h index 24a1358854..5724232095 100644 --- a/include/libeval_compiler/libeval_compiler.h +++ b/include/libeval_compiler/libeval_compiler.h @@ -99,43 +99,44 @@ struct TREE_NODE { struct value_s { - char str[LIBEVAL_MAX_LITERAL_LENGTH]; - int type; + char str[LIBEVAL_MAX_LITERAL_LENGTH]; + int type; } value; - int op; - TREE_NODE* leaf[2]; - UOP* uop; - bool valid; - bool isTerminal; + + int op; + TREE_NODE* leaf[2]; + UOP* uop; + bool valid; + bool isTerminal; }; + static inline TREE_NODE* copyNode( TREE_NODE& t ) { - auto t2 = new TREE_NODE(); - t2->valid = t.valid; - strcpy(t2->value.str, t.value.str); - t2->op = t.op; - t2->value.type = t.value.type; - t2->leaf[0] = t.leaf[0]; - t2->leaf[1] = t.leaf[1]; + auto t2 = new TREE_NODE(); + t2->valid = t.valid; + snprintf( t2->value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", t.value.str ); + t2->op = t.op; + t2->value.type = t.value.type; + t2->leaf[0] = t.leaf[0]; + t2->leaf[1] = t.leaf[1]; t2->isTerminal = false; - t2->uop = nullptr; + t2->uop = nullptr; return t2; } - -static inline TREE_NODE* newNode( int op, int type, std::string value ) +static inline TREE_NODE* newNode( int op, int type, const std::string& value ) { - auto t2 = new TREE_NODE(); - t2->valid = true; - strcpy(t2->value.str, value.c_str()); - t2->op = op; - t2->value.type = type; - t2->leaf[0] = nullptr; - t2->leaf[1] = nullptr; + auto t2 = new TREE_NODE(); + t2->valid = true; + snprintf( t2->value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", value.c_str() ); + t2->op = op; + t2->value.type = type; + t2->leaf[0] = nullptr; + t2->leaf[1] = nullptr; t2->isTerminal = false; - t2->uop = nullptr; + t2->uop = nullptr; return t2; }