[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Emacs-diffs] master a3f3fea: Fix buffer overflow in make-docfile
From: |
Paul Eggert |
Subject: |
[Emacs-diffs] master a3f3fea: Fix buffer overflow in make-docfile |
Date: |
Sun, 30 Apr 2017 02:35:50 -0400 (EDT) |
branch: master
commit a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf
Author: Paul Eggert <address@hidden>
Commit: Paul Eggert <address@hidden>
Fix buffer overflow in make-docfile
* lib-src/make-docfile.c (scan_c_stream): Check for buffer
overflow when reading an identifier. Use a static buffer for NAME
rather than a small dynamically-allocated buffer.
---
lib-src/make-docfile.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c
index 53970a0..9470bd6 100644
--- a/lib-src/make-docfile.c
+++ b/lib-src/make-docfile.c
@@ -845,8 +845,7 @@ scan_c_stream (FILE *infile)
bool defvarperbufferflag = false;
bool defvarflag = false;
enum global_type type = INVALID;
- static char *name;
- static ptrdiff_t name_size;
+ static char name[sizeof input_buffer];
if (c != '\n' && c != '\r')
{
@@ -967,22 +966,13 @@ scan_c_stream (FILE *infile)
if (c < 0)
goto eof;
input_buffer[i++] = c;
+ if (sizeof input_buffer <= i)
+ fatal ("identifier too long");
c = getc (infile);
}
while (! (c == ',' || c == ' ' || c == '\t'
|| c == '\n' || c == '\r'));
input_buffer[i] = '\0';
-
- if (name_size <= i)
- {
- free (name);
- name_size = i + 1;
- ptrdiff_t doubled;
- if (! INT_MULTIPLY_WRAPV (name_size, 2, &doubled)
- && doubled <= SIZE_MAX)
- name_size = doubled;
- name = xmalloc (name_size);
- }
memcpy (name, input_buffer, i + 1);
if (type == SYMBOL)
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Emacs-diffs] master a3f3fea: Fix buffer overflow in make-docfile,
Paul Eggert <=