From 0f6cf1bdb8407b7e003ca983145d3f67a6ca78dc Mon Sep 17 00:00:00 2001 From: Kaz Kylheku Date: Fri, 2 Dec 2016 22:00:42 -0800 Subject: Harden processing of character escapes. Weakness uncovered by fuzzing with AFL (fast) 2.30b. The failing test case is regex syntax like [\1111111...111abc], where the bad character escape allows an invalid, negatively valued character object to escape out of the parser into the system leading to an an out-of-bounds array access in the char set code in the regex compiler. * parser.l (num_esc): Make sure that an out-of-range character is mapped to zero. Set up a default value of zero for the return variable. If the character token has too many digits, don't pass them through strtol at all, which will produce a garbage value. Then in the final range check, actually replace the value with zero if it is out of range: issuing a diagnostic is not enough. --- parser.l | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/parser.l b/parser.l index cff641ae..89c89193 100644 --- a/parser.l +++ b/parser.l @@ -161,22 +161,26 @@ static wchar_t char_esc(int letter) static wchar_t num_esc(scanner_t *scn, char *num) { - long val; + long val = 0; if (num[0] == 'x') { if (strlen(num) > 7) yyerror(scn, yyget_extra(scn), "too many digits in hex character escape"); - val = strtol(num + 1, 0, 16); + else + val = strtol(num + 1, 0, 16); } else { if (num[0] == 'o') num++; if (strlen(num) > 8) yyerror(scn, yyget_extra(scn), "too many digits in octal character escape"); - val = strtol(num, 0, 8); + else + val = strtol(num, 0, 8); } - if (val < 0 || val > 0x10FFFF || (wchar_t) val != val) + if (val < 0 || val > 0x10FFFF || (wchar_t) val != val) { yyerror(scn, yyget_extra(scn), "numeric character escape out of range"); + val = 0; + } return val; } -- cgit v1.2.3