unifdef: fix invalid array access when nesting limit exceeded

If the number of nested #if blocks exceeds 64, nest() increments
the nesting depth and then reports an error.  The message includes
the line number for the start of the current #if block, which is
read from past the end of the relevant array.

Avoid the out-of-bounds read by reporting the error and exiting
before the nesting depth has a chance to increase.

Submitted by: Jonathan Nieder <jrnieder@gmail.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/usr.bin/unifdef/unifdef.c b/usr.bin/unifdef/unifdef.c
index 82e0e6b..be5b4fc 100644
--- a/usr.bin/unifdef/unifdef.c
+++ b/usr.bin/unifdef/unifdef.c
@@ -24,17 +24,19 @@
  */
 
 /*
- * This code is derived from software contributed to Berkeley by Dave Yost.
+ * This code was derived from software contributed to Berkeley by Dave Yost.
  * It was rewritten to support ANSI C by Tony Finch. The original version
  * of unifdef carried the 4-clause BSD copyright licence. None of its code
  * remains in this version (though some of the names remain) so it now
  * carries a more liberal licence.
+ *
+ * The latest version is available from http://dotat.at/prog/unifdef
  */
 
 #include <sys/cdefs.h>
 
 #ifdef __IDSTRING
-__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.188 2009/11/25 00:11:02 fanf2 Exp $");
+__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.190 2009/11/27 17:21:26 fanf2 Exp $");
 #endif
 #ifdef __FBSDID
 __FBSDID("$FreeBSD$");
@@ -460,9 +462,11 @@ keywordedit(const char *replacement)
 static void
 nest(void)
 {
-	depth += 1;
-	if (depth >= MAXDEPTH)
+	if (depth > MAXDEPTH-1)
+		abort(); /* bug */
+	if (depth == MAXDEPTH-1)
 		error("Too many levels of nesting");
+	depth += 1;
 	stifline[depth] = linenum;
 }
 static void