diff options
| author | Philipp Thomas <pepys@users.sourceforge.net> | 2008-05-21 08:53:21 -0700 |
|---|---|---|
| committer | H. Peter Anvin <hpa@zytor.com> | 2008-05-21 08:53:21 -0700 |
| commit | 76ec8e73db16f4cf1453a142d03bcc74d528f72f (patch) | |
| tree | 79f4465d218313a1c72e556db6865955234b6bc3 /preproc.c | |
| parent | 18c3ce251712684954b5896516bdfdf7be775d1b (diff) | |
| download | nasm-76ec8e73db16f4cf1453a142d03bcc74d528f72f.tar.gz nasm-76ec8e73db16f4cf1453a142d03bcc74d528f72f.tar.bz2 nasm-76ec8e73db16f4cf1453a142d03bcc74d528f72f.zip | |
Fix buffer overflow in preproc.c (BR 1942146)
Fix buffer overflow in preproc.c due to an incorrect test. In the
code:
for (r = p, s = ourcopy; *r; r++) {
if (r >= p+MAX_KEYWORD)
return tokval->t_type = TOKEN_ID; /* Not a keyword */
*s++ = tolower(*r);
}
*s = '\0';
... the test really needs to be >= since for the pass where there are
equal:
a) a nonzero byte means we have > MAX_KEYWORD characters, and
b) s = ourcopy+MAX_KEYWORD; but if the test doesn't trigger,
we can write one more character *plus* the null byte, overflowing
ourcopy.
Diffstat (limited to 'preproc.c')
| -rw-r--r-- | preproc.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -1074,7 +1074,7 @@ static int ppscan(void *private_data, struct tokenval *tokval) } for (r = p, s = ourcopy; *r; r++) { - if (r > p+MAX_KEYWORD) + if (r >= p+MAX_KEYWORD) return tokval->t_type = TOKEN_ID; /* Not a keyword */ *s++ = tolower(*r); } |