shithub: scc

Download patch

ref: 21c1937146f4b5acc6e3a5a695116419f19554ad
parent: f00413b6a611d855fc398604c10a5b8c0afa596b
author: Roberto E. Vargas Caballero <[email protected]>
date: Fri Jul 17 18:24:22 EDT 2015

Remove buffer overflow in expand()

Macro expansions are done replacing the macro invocation
by the macro expansion. It means that the size of the line
is different after the operation, but there was no check
of this new size.

--- a/cc1/cpp.c
+++ b/cc1/cpp.c
@@ -210,12 +210,16 @@
 	fprintf(stderr, "macro '%s' expanded to :'%s'\n", macroname, buffer);
 	len = strlen(buffer);
 
+	if (begin - input->line + len >= LINESIZ-1)
+		error("macro expansion too long");
+
 	/* cut macro invocation */
 	memmove(begin, input->p, input->p - begin);
-	memmove(begin + len, begin, len);
 
 	/* paste macro expansion */
+	memmove(begin + len, begin, len);
 	memcpy(begin, buffer, len);
+
 	input->p = input->begin = begin;
 
 	return 1;