From a855bffe7835f373e9b80eba00b37a339bac226e Mon Sep 17 00:00:00 2001 From: fanf Date: Fri, 27 Nov 2009 17:53:49 +0000 Subject: unifdef: fix invalid array access when nesting limit exceeded If the number of nested #if blocks exceeds 64, nest() increments the nesting depth and then reports an error. The message includes the line number for the start of the current #if block, which is read from past the end of the relevant array. Avoid the out-of-bounds read by reporting the error and exiting before the nesting depth has a chance to increase. Submitted by: Jonathan Nieder --- usr.bin/unifdef/unifdef.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/unifdef/unifdef.c b/usr.bin/unifdef/unifdef.c index 82e0e6b..be5b4fc 100644 --- a/usr.bin/unifdef/unifdef.c +++ b/usr.bin/unifdef/unifdef.c @@ -24,17 +24,19 @@ */ /* - * This code is derived from software contributed to Berkeley by Dave Yost. + * This code was derived from software contributed to Berkeley by Dave Yost. * It was rewritten to support ANSI C by Tony Finch. The original version * of unifdef carried the 4-clause BSD copyright licence. None of its code * remains in this version (though some of the names remain) so it now * carries a more liberal licence. + * + * The latest version is available from http://dotat.at/prog/unifdef */ #include #ifdef __IDSTRING -__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.188 2009/11/25 00:11:02 fanf2 Exp $"); +__IDSTRING(dotat, "$dotat: unifdef/unifdef.c,v 1.190 2009/11/27 17:21:26 fanf2 Exp $"); #endif #ifdef __FBSDID __FBSDID("$FreeBSD$"); @@ -460,9 +462,11 @@ keywordedit(const char *replacement) static void nest(void) { - depth += 1; - if (depth >= MAXDEPTH) + if (depth > MAXDEPTH-1) + abort(); /* bug */ + if (depth == MAXDEPTH-1) error("Too many levels of nesting"); + depth += 1; stifline[depth] = linenum; } static void -- cgit v1.1