From 57e617620a4fa8b144dd87e94dc22ae2acd87679 Mon Sep 17 00:00:00 2001 From: Clayton Smith Date: Thu, 11 Apr 2019 20:07:43 -0400 Subject: Fix buffer overflows in parser. --- mrbgems/mruby-compiler/core/parse.y | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y index cb62ec3f2..ca4c90770 100644 --- a/mrbgems/mruby-compiler/core/parse.y +++ b/mrbgems/mruby-compiler/core/parse.y @@ -3716,8 +3716,9 @@ yyerror_c(parser_state *p, const char *msg, char c) { char buf[256]; - strcpy(buf, msg); - strcat(buf, &c); + strncpy(buf, msg, sizeof(buf) - 2); + buf[sizeof(buf) - 2] = '\0'; + strncat(buf, &c, 1); yyerror(p, buf); } @@ -3760,9 +3761,10 @@ yywarning_s(parser_state *p, const char *msg, const char *s) { char buf[256]; - strcpy(buf, msg); - strcat(buf, ": "); - strcat(buf, s); + strncpy(buf, msg, sizeof(buf) - 1); + buf[sizeof(buf) - 1] = '\0'; + strncat(buf, ": ", sizeof(buf) - strlen(buf) - 1); + strncat(buf, s, sizeof(buf) - strlen(buf) - 1); yywarning(p, buf); } @@ -4326,11 +4328,12 @@ parse_string(parser_state *p) if (sizeof(s1)+sizeof(s2)+strlen(hinf->term)+1 >= sizeof(buf)) { yyerror(p, "can't find heredoc delimiter anywhere before EOF"); + } else { + strcpy(buf, s1); + strcat(buf, hinf->term); + strcat(buf, s2); + yyerror(p, buf); } - strcpy(buf, s1); - strcat(buf, hinf->term); - strcat(buf, s2); - yyerror(p, buf); return 0; } pylval.nd = new_str(p, tok(p), toklen(p)); @@ -4487,7 +4490,7 @@ parse_string(parser_state *p) strcat(msg, "s"); } strcat(msg, " - "); - strcat(msg, tok(p)); + strncat(msg, tok(p), sizeof(msg) - strlen(msg) - 1); yyerror(p, msg); } if (f != 0) { @@ -4918,7 +4921,7 @@ parser_yylex(parser_state *p) char cc = (char)c2; strcpy(buf, "invalid character syntax; use ?\\"); - strcat(buf, &cc); + strncat(buf, &cc, 1); yyerror(p, buf); } } @@ -6147,7 +6150,7 @@ mrb_load_exec(mrb_state *mrb, struct mrb_parser_state *p, mrbc_context *c) strcpy(buf, "line "); dump_int(p->error_buffer[0].lineno, buf+5); strcat(buf, ": "); - strcat(buf, p->error_buffer[0].message); + strncat(buf, p->error_buffer[0].message, sizeof(buf) - strlen(buf) - 1); mrb->exc = mrb_obj_ptr(mrb_exc_new(mrb, E_SYNTAX_ERROR, buf, strlen(buf))); mrb_parser_free(p); return mrb_undef_value(); -- cgit v1.2.3 From 00545fc51d33a9c71d610cc8da5e779cf29487af Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 12 Apr 2019 22:52:26 +0900 Subject: The number of local variables should be less than 1024; fix #4370 The `env` stores stack length in a 10 bit field. See `MRB_ENV_STACK_LEN()` macro. --- mrbgems/mruby-compiler/core/codegen.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c index 927cc3a0f..4bb81f415 100644 --- a/mrbgems/mruby-compiler/core/codegen.c +++ b/mrbgems/mruby-compiler/core/codegen.c @@ -3020,6 +3020,9 @@ scope_finish(codegen_scope *s) mrb_state *mrb = s->mrb; mrb_irep *irep = s->irep; + if (s->nlocals >= 0x3ff) { + codegen_error(s, "too many local variables"); + } irep->flags = 0; if (s->iseq) { irep->iseq = (mrb_code *)codegen_realloc(s, s->iseq, sizeof(mrb_code)*s->pc); -- cgit v1.2.3 From befdf59e610b43e7043b83074a2cc34070ae4e5f Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 12 Apr 2019 22:54:25 +0900 Subject: Deallocate `s->lines` in `codegen_error`; ref #4370 --- mrbgems/mruby-compiler/core/codegen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c index 4bb81f415..b6d35f363 100644 --- a/mrbgems/mruby-compiler/core/codegen.c +++ b/mrbgems/mruby-compiler/core/codegen.c @@ -102,6 +102,7 @@ codegen_error(codegen_scope *s, const char *message) while (s->prev) { codegen_scope *tmp = s->prev; mrb_free(s->mrb, s->iseq); + mrb_free(s->mrb, s->lines); mrb_pool_close(s->mpool); s = tmp; } -- cgit v1.2.3 From c2fa935fee31c201ba4b07e72690e78a3094cf68 Mon Sep 17 00:00:00 2001 From: dearblue Date: Sun, 14 Apr 2019 16:11:21 +0900 Subject: Fix hexdigits convertion --- mrbgems/mruby-compiler/core/parse.y | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y index ca4c90770..f6b883b9e 100644 --- a/mrbgems/mruby-compiler/core/parse.y +++ b/mrbgems/mruby-compiler/core/parse.y @@ -5712,10 +5712,11 @@ parser_yylex(parser_state *p) if (!identchar(c)) { char buf[36]; const char s[] = "Invalid char in expression: 0x"; + const char hexdigits[] = "0123456789ABCDEF"; strcpy(buf, s); - buf[sizeof(s)] = (c & 0xff00) >> 8; - buf[sizeof(s)+1] = (c & 0xff); + buf[sizeof(s)] = hexdigits[(c & 0xf0) >> 4]; + buf[sizeof(s)+1] = hexdigits[(c & 0x0f)]; buf[sizeof(s)+2] = 0; yyerror(p, buf); goto retry; -- cgit v1.2.3 From dac0f3f5e85d067b15c44a933b151acefb2d5598 Mon Sep 17 00:00:00 2001 From: dearblue Date: Sun, 14 Apr 2019 16:16:05 +0900 Subject: Fix string index for appending `sizeof(string-literal)` is included `'\0'` character --- mrbgems/mruby-compiler/core/parse.y | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/parse.y b/mrbgems/mruby-compiler/core/parse.y index f6b883b9e..7838b6dfb 100644 --- a/mrbgems/mruby-compiler/core/parse.y +++ b/mrbgems/mruby-compiler/core/parse.y @@ -5715,9 +5715,9 @@ parser_yylex(parser_state *p) const char hexdigits[] = "0123456789ABCDEF"; strcpy(buf, s); - buf[sizeof(s)] = hexdigits[(c & 0xf0) >> 4]; - buf[sizeof(s)+1] = hexdigits[(c & 0x0f)]; - buf[sizeof(s)+2] = 0; + buf[sizeof(s)-1] = hexdigits[(c & 0xf0) >> 4]; + buf[sizeof(s)] = hexdigits[(c & 0x0f)]; + buf[sizeof(s)+1] = 0; yyerror(p, buf); goto retry; } -- cgit v1.2.3 From 3f3e4754d931004838278c1483e047a3635ebeb0 Mon Sep 17 00:00:00 2001 From: dearblue Date: Sun, 14 Apr 2019 15:58:11 +0900 Subject: Fix leaked function symbols - `free_heap()` in src/gc.c - `symhash()` in src/symbol.c - `no_optimize()` in mrbgems/mruby-compiler/core/codegen.c --- mrbgems/mruby-compiler/core/codegen.c | 3 +-- src/gc.c | 2 +- src/symbol.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) (limited to 'mrbgems/mruby-compiler') diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c index b6d35f363..ed8fc3150 100644 --- a/mrbgems/mruby-compiler/core/codegen.c +++ b/mrbgems/mruby-compiler/core/codegen.c @@ -273,8 +273,7 @@ genop_W(codegen_scope *s, mrb_code i, uint32_t a) #define NOVAL 0 #define VAL 1 -//static -mrb_bool +static mrb_bool no_optimize(codegen_scope *s) { if (s && s->parser && s->parser->no_optimize) diff --git a/src/gc.c b/src/gc.c index ec52787e8..d07335eca 100644 --- a/src/gc.c +++ b/src/gc.c @@ -396,7 +396,7 @@ mrb_gc_init(mrb_state *mrb, mrb_gc *gc) static void obj_free(mrb_state *mrb, struct RBasic *obj, int end); -void +static void free_heap(mrb_state *mrb, mrb_gc *gc) { mrb_heap_page *page = gc->heaps; diff --git a/src/symbol.c b/src/symbol.c index 96ca9dd17..b26f2b1fd 100644 --- a/src/symbol.c +++ b/src/symbol.c @@ -91,7 +91,7 @@ sym_inline_unpack(mrb_sym sym, char *buf, mrb_int *lenp) } #endif -uint8_t +static uint8_t symhash(const char *key, size_t len) { uint32_t hash, i; -- cgit v1.2.3