Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Nov 2009 17:53:49 +0000 (UTC)
From:      Tony Finch <fanf@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r199867 - head/usr.bin/unifdef
Message-ID:  <200911271753.nARHrn3Z026212@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: fanf
Date: Fri Nov 27 17:53:49 2009
New Revision: 199867
URL: http://svn.freebsd.org/changeset/base/199867

Log:
  unifdef: fix invalid array access when nesting limit exceeded
  
  If the number of nested #if blocks exceeds 64, nest() increments
  the nesting depth and then reports an error.  The message includes
  the line number for the start of the current #if block, which is
  read from past the end of the relevant array.
  
  Avoid the out-of-bounds read by reporting the error and exiting
  before the nesting depth has a chance to increase.
  
  Submitted by: Jonathan Nieder <jrnieder@gmail.com>

Modified:
  head/usr.bin/unifdef/unifdef.c

Modified: head/usr.bin/unifdef/unifdef.c
==============================================================================
--- head/usr.bin/unifdef/unifdef.c	Fri Nov 27 17:25:19 2009	(r199866)
+++ head/usr.bin/unifdef/unifdef.c	Fri Nov 27 17:53:49 2009	(r199867)
@@ -24,17 +24,19 @@
  */
 
 /*
- * This code is derived from software contributed to Berkeley by Dave Yost.
+ * This code was derived from software contributed to Berkeley by Dave Yost.
  * It was rewritten to support ANSI C by Tony Finch. The original version
  * of unifdef carried the 4-clause BSD copyright licence. None of its code
  * remains in this version (though some of the names remain) so it now
  * carries a more liberal licence.
+ *
+ * The latest version is available from http://dotat.at/prog/unifdef
  */
 
 #include <sys/cdefs.h>
 
 #ifdef __IDSTRING
-__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.188 2009/11/25 00:11:02 fanf2 Exp $");
+__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.190 2009/11/27 17:21:26 fanf2 Exp $");
 #endif
 #ifdef __FBSDID
 __FBSDID("$FreeBSD$");
@@ -460,9 +462,11 @@ keywordedit(const char *replacement)
 static void
 nest(void)
 {
-	depth += 1;
-	if (depth >= MAXDEPTH)
+	if (depth > MAXDEPTH-1)
+		abort(); /* bug */
+	if (depth == MAXDEPTH-1)
 		error("Too many levels of nesting");
+	depth += 1;
 	stifline[depth] = linenum;
 }
 static void

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911271753.nARHrn3Z026212>