commit 21c1937146f4b5acc6e3a5a695116419f19554ad
parent f00413b6a611d855fc398604c10a5b8c0afa596b
Author: Roberto E. Vargas Caballero <k0ga@shike2.com>
Date: Fri, 17 Jul 2015 22:24:22 +0200
Remove buffer overflow in expand()
Macro expansions are done replacing the macro invocation
by the macro expansion. It means that the size of the line
is different after the operation, but there was no check
of this new size.
Diffstat:
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/cc1/cpp.c b/cc1/cpp.c
@@ -210,12 +210,16 @@ print_subs:
fprintf(stderr, "macro '%s' expanded to :'%s'\n", macroname, buffer);
len = strlen(buffer);
+ if (begin - input->line + len >= LINESIZ-1)
+ error("macro expansion too long");
+
/* cut macro invocation */
memmove(begin, input->p, input->p - begin);
- memmove(begin + len, begin, len);
/* paste macro expansion */
+ memmove(begin + len, begin, len);
memcpy(begin, buffer, len);
+
input->p = input->begin = begin;
return 1;