This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH libcpp]: Avoid crash in interpret_float_suffix


Hi,

the function libcpp/expr.c:interpret_float_suffix allows its argument LEN to be 0, but in this case it tries to read before the buffer S.  It is not a real issue, except in case of overflow:  on VMS with 64bit pointers but 32bit size_t, the following code:
  s[len-1]
is evaluated as
  s[0xffffffff]
which is likely (and does) crash cc1.

To avoid this nasty effect, I just added a guard.

Bootstrapped and regtested on i386/GNU linux.

Ok for trunk ?

Tristan.

libcpp/
2012-05-04  Tristan Gingold  <gingold@adacore.com>

	* expr.c (interpret_float_suffix): Add a guard.

diff --git a/libcpp/expr.c b/libcpp/expr.c
index d56e56a..ca1c3d1 100644
--- a/libcpp/expr.c
+++ b/libcpp/expr.c
@@ -110,12 +110,13 @@ interpret_float_suffix (const uchar *s, size_t len)
     }
 
   /* Recognize a fixed-point suffix.  */
-  switch (s[len-1])
-    {
-    case 'k': case 'K': flags = CPP_N_ACCUM; break;
-    case 'r': case 'R': flags = CPP_N_FRACT; break;
-    default: break;
-    }
+  if (len != 0)
+    switch (s[len-1])
+      {
+      case 'k': case 'K': flags = CPP_N_ACCUM; break;
+      case 'r': case 'R': flags = CPP_N_FRACT; break;
+      default: break;
+      }
 
   /* Continue processing a fixed-point suffix.  The suffix is case
      insensitive except for ll or LL.  Order is significant.  */


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]