diff options
| author | Paul Eggert | 2017-04-29 23:35:27 -0700 |
|---|---|---|
| committer | Paul Eggert | 2017-04-29 23:35:46 -0700 |
| commit | a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf (patch) | |
| tree | 9539ab24679a257a5282d626350a1af01b9e2aa5 /lib-src | |
| parent | 7cc329fd734992369efd17f6758a732bc5377908 (diff) | |
| download | emacs-a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf.tar.gz emacs-a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf.zip | |
Fix buffer overflow in make-docfile
* lib-src/make-docfile.c (scan_c_stream): Check for buffer
overflow when reading an identifier. Use a static buffer for NAME
rather than a small dynamically-allocated buffer.
Diffstat (limited to 'lib-src')
| -rw-r--r-- | lib-src/make-docfile.c | 16 |
1 files changed, 3 insertions, 13 deletions
diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c index 53970a06238..9470bd635f5 100644 --- a/lib-src/make-docfile.c +++ b/lib-src/make-docfile.c | |||
| @@ -845,8 +845,7 @@ scan_c_stream (FILE *infile) | |||
| 845 | bool defvarperbufferflag = false; | 845 | bool defvarperbufferflag = false; |
| 846 | bool defvarflag = false; | 846 | bool defvarflag = false; |
| 847 | enum global_type type = INVALID; | 847 | enum global_type type = INVALID; |
| 848 | static char *name; | 848 | static char name[sizeof input_buffer]; |
| 849 | static ptrdiff_t name_size; | ||
| 850 | 849 | ||
| 851 | if (c != '\n' && c != '\r') | 850 | if (c != '\n' && c != '\r') |
| 852 | { | 851 | { |
| @@ -967,22 +966,13 @@ scan_c_stream (FILE *infile) | |||
| 967 | if (c < 0) | 966 | if (c < 0) |
| 968 | goto eof; | 967 | goto eof; |
| 969 | input_buffer[i++] = c; | 968 | input_buffer[i++] = c; |
| 969 | if (sizeof input_buffer <= i) | ||
| 970 | fatal ("identifier too long"); | ||
| 970 | c = getc (infile); | 971 | c = getc (infile); |
| 971 | } | 972 | } |
| 972 | while (! (c == ',' || c == ' ' || c == '\t' | 973 | while (! (c == ',' || c == ' ' || c == '\t' |
| 973 | || c == '\n' || c == '\r')); | 974 | || c == '\n' || c == '\r')); |
| 974 | input_buffer[i] = '\0'; | 975 | input_buffer[i] = '\0'; |
| 975 | |||
| 976 | if (name_size <= i) | ||
| 977 | { | ||
| 978 | free (name); | ||
| 979 | name_size = i + 1; | ||
| 980 | ptrdiff_t doubled; | ||
| 981 | if (! INT_MULTIPLY_WRAPV (name_size, 2, &doubled) | ||
| 982 | && doubled <= SIZE_MAX) | ||
| 983 | name_size = doubled; | ||
| 984 | name = xmalloc (name_size); | ||
| 985 | } | ||
| 986 | memcpy (name, input_buffer, i + 1); | 976 | memcpy (name, input_buffer, i + 1); |
| 987 | 977 | ||
| 988 | if (type == SYMBOL) | 978 | if (type == SYMBOL) |