Merge pull request #2874 from cremno/fix-parser-oob-write

Coverity: fix oob write by actually truncating buffer
author: Yukihiro "Matz" Matsumoto <[email protected]> 2015-07-03 15:03:45 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2015-07-03 15:03:45 +0900
commit: 1dbb2b74d344f409c03c36a6dc831a647602cf0a (patch)
tree: 1a6b9c9e99f56c0e4adc5d0df7c540cdb2695f17
parent: b071dcd4fb7b5a36343210c595e44b62cee732b8 (diff)
parent: 24583a7a1806dd1845700e12e8b0b823688e9879 (diff)
download: mruby-1dbb2b74d344f409c03c36a6dc831a647602cf0a.tar.gz
mruby-1dbb2b74d344f409c03c36a6dc831a647602cf0a.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y
index 64f0a8821..b057cac17 100644
--- a/mrbgems/mruby-compiler/core/parse.y
+++ b/mrbgems/mruby-compiler/core/parse.y
@@ -3604,10 +3604,13 @@ toklast(parser_state *p)
 static void
 tokfix(parser_state *p)
 {
-  if (p->bidx >= MRB_PARSER_BUF_SIZE) {
+  int i = p->bidx, imax = MRB_PARSER_BUF_SIZE - 1;
+
+  if (i > imax) {
+    i = imax;
     yyerror(p, "string too long (truncated)");
   }
-  p->buf[p->bidx] = '\0';
+  p->buf[i] = '\0';
 }
 
 static const char*
author	Yukihiro "Matz" Matsumoto <[email protected]>	2015-07-03 15:03:45 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2015-07-03 15:03:45 +0900
commit	1dbb2b74d344f409c03c36a6dc831a647602cf0a (patch)
tree	1a6b9c9e99f56c0e4adc5d0df7c540cdb2695f17
parent	b071dcd4fb7b5a36343210c595e44b62cee732b8 (diff)
parent	24583a7a1806dd1845700e12e8b0b823688e9879 (diff)
download	mruby-1dbb2b74d344f409c03c36a6dc831a647602cf0a.tar.gz mruby-1dbb2b74d344f409c03c36a6dc831a647602cf0a.zip