From ce31272dba2a67772daeca34940c2e60cd183a85 Mon Sep 17 00:00:00 2001 From: cremno Date: Thu, 28 May 2015 12:52:44 +0200 Subject: fix capture group index bug atoi() is used to convert the index to an int but the behavior is undefined if the value can't be represented. > $9999999999 00007 NODE_SCOPE: 00007 NODE_BEGIN: 00007 NODE_NTH_REF: $2147483647 irep 00630580 nregs=2 nlocals=1 pools=0 syms=1 reps=0 file: (mirb) 7 000 OP_GETGLOBAL R1 :$2147483647 7 001 OP_STOP Call strtoul() instead as its behavior in such cases is defined and add a simple range check. Alternatively NODE_NTH_REF's cdr could be changed from int to mrb_sym (like NODE_GVAR). --- src/parse.y | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/parse.y') diff --git a/src/parse.y b/src/parse.y index 76220499e..5b17649a9 100644 --- a/src/parse.y +++ b/src/parse.y @@ -5118,7 +5118,14 @@ parser_yylex(parser_state *p) pushback(p, c); if (last_state == EXPR_FNAME) goto gvar; tokfix(p); - yylval.nd = new_nth_ref(p, atoi(tok(p))); + { + unsigned long n = strtoul(tok(p), NULL, 10); + if (n > INT_MAX) { + yyerror_i(p, "capture group index must be <= %d", INT_MAX); + return 0; + } + yylval.nd = new_nth_ref(p, (int)n); + } return tNTH_REF; default: -- cgit v1.2.3