diff options
| author | cremno <[email protected]> | 2015-07-03 01:30:54 +0200 |
|---|---|---|
| committer | cremno <[email protected]> | 2015-07-03 01:30:54 +0200 |
| commit | 24583a7a1806dd1845700e12e8b0b823688e9879 (patch) | |
| tree | 3f69eda19ad7c767f40c7cb98108890a26e2266c | |
| parent | ff49cf95fca2d1648f05dd636c8f8516c8edc815 (diff) | |
| download | mruby-24583a7a1806dd1845700e12e8b0b823688e9879.tar.gz mruby-24583a7a1806dd1845700e12e8b0b823688e9879.zip | |
fix oob write by actually truncating buffer
Found by Coverity scan of polyfox-moon:
CID 121927 (#1 of 1): Out-of-bounds write (OVERRUN)
| -rw-r--r-- | mrbgems/mruby-compiler/core/parse.y | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y index f6a43d32b..26062967d 100644 --- a/mrbgems/mruby-compiler/core/parse.y +++ b/mrbgems/mruby-compiler/core/parse.y @@ -3604,10 +3604,13 @@ toklast(parser_state *p) static void tokfix(parser_state *p) { - if (p->bidx >= MRB_PARSER_BUF_SIZE) { + int i = p->bidx, imax = MRB_PARSER_BUF_SIZE - 1; + + if (i > imax) { + i = imax; yyerror(p, "string too long (truncated)"); } - p->buf[p->bidx] = '\0'; + p->buf[i] = '\0'; } static const char* |