diff options
| author | cremno <[email protected]> | 2015-05-28 12:52:44 +0200 |
|---|---|---|
| committer | cremno <[email protected]> | 2015-05-28 12:52:44 +0200 |
| commit | ce31272dba2a67772daeca34940c2e60cd183a85 (patch) | |
| tree | 7f2fa7ec823e376a21bf66d60d7da5b6d7ab5609 /src/parse.y | |
| parent | b1871cf446a5cde128f8601b5517a8760af67940 (diff) | |
| download | mruby-ce31272dba2a67772daeca34940c2e60cd183a85.tar.gz mruby-ce31272dba2a67772daeca34940c2e60cd183a85.zip | |
fix capture group index bug
atoi() is used to convert the index to an int but the behavior is
undefined if the value can't be represented.
> $9999999999
00007 NODE_SCOPE:
00007 NODE_BEGIN:
00007 NODE_NTH_REF: $2147483647
irep 00630580 nregs=2 nlocals=1 pools=0 syms=1 reps=0
file: (mirb)
7 000 OP_GETGLOBAL R1 :$2147483647
7 001 OP_STOP
Call strtoul() instead as its behavior in such cases is defined and add
a simple range check.
Alternatively NODE_NTH_REF's cdr could be changed from int to mrb_sym
(like NODE_GVAR).
Diffstat (limited to 'src/parse.y')
| -rw-r--r-- | src/parse.y | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/parse.y b/src/parse.y index 76220499e..5b17649a9 100644 --- a/src/parse.y +++ b/src/parse.y @@ -5118,7 +5118,14 @@ parser_yylex(parser_state *p) pushback(p, c); if (last_state == EXPR_FNAME) goto gvar; tokfix(p); - yylval.nd = new_nth_ref(p, atoi(tok(p))); + { + unsigned long n = strtoul(tok(p), NULL, 10); + if (n > INT_MAX) { + yyerror_i(p, "capture group index must be <= %d", INT_MAX); + return 0; + } + yylval.nd = new_nth_ref(p, (int)n); + } return tNTH_REF; default: |