Fix security issue (buffer overrun).

This commit is contained in:
Jeff Young 2020-07-18 11:40:56 +01:00
parent 49d242944d
commit bcb29b6bf8
2 changed files with 29 additions and 28 deletions

View File

@ -281,7 +281,7 @@ bool COMPILER::lexString( COMPILER::T_TOKEN& aToken )
//printf("STR LIT '%s'\n", (const char *)str.c_str() );
aToken.token = G_STRING;
strcpy( aToken.value.value.str, str.c_str() );
snprintf( aToken.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", str.c_str() );
m_tokenizer.NextChar( str.length() + 1 );
m_lexerState = LS_DEFAULT;
@ -381,7 +381,7 @@ bool COMPILER::lexDefault( COMPILER::T_TOKEN& aToken )
// VALUE
extractNumber();
retval.token = G_VALUE;
strcpy( retval.value.value.str, current.c_str() );
snprintf( retval.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", current.c_str() );
}
else if( ( convertFrom = resolveUnits() ) >= 0 )
{
@ -410,7 +410,7 @@ bool COMPILER::lexDefault( COMPILER::T_TOKEN& aToken )
//printf("id '%s'\n", (const char *) current.c_str() );
fflush( stdout );
retval.token = G_IDENTIFIER;
strcpy( retval.value.value.str, current.c_str() );
snprintf( retval.value.value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", current.c_str() );
m_tokenizer.NextChar( current.length() );
}
else if( m_tokenizer.MatchAhead( "==", []( int c ) -> bool { return c != '='; } ) )

View File

@ -99,43 +99,44 @@ struct TREE_NODE
{
struct value_s
{
char str[LIBEVAL_MAX_LITERAL_LENGTH];
int type;
char str[LIBEVAL_MAX_LITERAL_LENGTH];
int type;
} value;
int op;
TREE_NODE* leaf[2];
UOP* uop;
bool valid;
bool isTerminal;
int op;
TREE_NODE* leaf[2];
UOP* uop;
bool valid;
bool isTerminal;
};
static inline TREE_NODE* copyNode( TREE_NODE& t )
{
auto t2 = new TREE_NODE();
t2->valid = t.valid;
strcpy(t2->value.str, t.value.str);
t2->op = t.op;
t2->value.type = t.value.type;
t2->leaf[0] = t.leaf[0];
t2->leaf[1] = t.leaf[1];
auto t2 = new TREE_NODE();
t2->valid = t.valid;
snprintf( t2->value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", t.value.str );
t2->op = t.op;
t2->value.type = t.value.type;
t2->leaf[0] = t.leaf[0];
t2->leaf[1] = t.leaf[1];
t2->isTerminal = false;
t2->uop = nullptr;
t2->uop = nullptr;
return t2;
}
static inline TREE_NODE* newNode( int op, int type, std::string value )
static inline TREE_NODE* newNode( int op, int type, const std::string& value )
{
auto t2 = new TREE_NODE();
t2->valid = true;
strcpy(t2->value.str, value.c_str());
t2->op = op;
t2->value.type = type;
t2->leaf[0] = nullptr;
t2->leaf[1] = nullptr;
auto t2 = new TREE_NODE();
t2->valid = true;
snprintf( t2->value.str, LIBEVAL_MAX_LITERAL_LENGTH, "%s", value.c_str() );
t2->op = op;
t2->value.type = type;
t2->leaf[0] = nullptr;
t2->leaf[1] = nullptr;
t2->isTerminal = false;
t2->uop = nullptr;
t2->uop = nullptr;
return t2;
}