Fixed stack overflow in CPPextension function. An arbitrary size buffer was…

Fixed stack overflow in CPPextension function. An arbitrary size buffer was being used for extension name. Changed it to use MAX_SYMBOL_NAME_LEN. - Also formalized the values for MAX_SYMBOL_NAME_LEN and MAX_STRING_LEN. They were being used as if there was a confusion whether it included the NULL terminator or not. - Fixed some minor issues with code releated to the usage of MAX_SYMBOL_NAME_LEN and MAX_STRING_LEN. BUG=59625 (crbug.com) Review URL: http://codereview.appspot.com/2585042 git-svn-id: https://angleproject.googlecode.com/svn/trunk@464 736b8ea6-26fd-11df-bfd4-992fa37f6226

Fixed stack overflow in CPPextension function. An arbitrary size buffer was…
43668cd0 · alokp@chromium.org · fe5141ea · 43668cd0 · 43668cd0 · 43668cd0
Commit 43668cd0 authored Oct 20, 2010 by alokp@chromium.org
Showing with 10 additions and 11 deletions

cpp.c src/compiler/preprocessor/cpp.c +3 -2

scanner.c src/compiler/preprocessor/scanner.c +0 -0

scanner.h src/compiler/preprocessor/scanner.h +3 -2

tokens.c src/compiler/preprocessor/tokens.c +4 -7

No files found.
--- a/src/compiler/preprocessor/cpp.c
+++ b/src/compiler/preprocessor/cpp.c
@@ -670,7 +670,7 @@ static int CPPextension(yystypepp * yylvalpp)
 {
    int token = cpp->currentInput->scan(cpp->currentInput, yylvalpp);
-    char extensionName[80];
+    char extensionName[MAX_SYMBOL_NAME_LEN + 1];
    if(token=='\n'){
 		DecLineNumber();
@@ -682,7 +682,8 @@ static int CPPextension(yystypepp * yylvalpp)
    if (token != CPP_IDENTIFIER)
        CPPErrorToInfoLog("#extension");
-    strcpy(extensionName, GetAtomString(atable, yylvalpp->sc_ident));
+    strncpy(extensionName, GetAtomString(atable, yylvalpp->sc_ident), MAX_SYMBOL_NAME_LEN);
+    extensionName[MAX_SYMBOL_NAME_LEN] = '\0';
    token = cpp->currentInput->scan(cpp->currentInput, yylvalpp);
    if (token != ':') {

--- a/src/compiler/preprocessor/scanner.c
+++ b/src/compiler/preprocessor/scanner.c
--- a/src/compiler/preprocessor/scanner.h
+++ b/src/compiler/preprocessor/scanner.h
@@ -48,8 +48,9 @@ NVIDIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #if !defined(__SCANNER_H)
 #define __SCANNER_H 1
-#define MAX_SYMBOL_NAME_LEN 128
+// These lengths do not include the NULL terminator.
-#define MAX_STRING_LEN 512
+#define MAX_SYMBOL_NAME_LEN 127
+#define MAX_STRING_LEN 511
 #include "compiler/preprocessor/parser.h"

--- a/src/compiler/preprocessor/tokens.c
+++ b/src/compiler/preprocessor/tokens.c
@@ -275,8 +275,7 @@ int ReadToken(TokenStream *pTok, yystypepp * yylvalpp)
                     ch == '_')
            {
                if (len < MAX_SYMBOL_NAME_LEN) {
-                    symbol_name[len] = ch;
+                    symbol_name[len++] = ch;
-                    len++;
                    ch = lReadByte(pTok);
                }
            }
@@ -290,7 +289,7 @@ int ReadToken(TokenStream *pTok, yystypepp * yylvalpp)
            while ((ch = lReadByte(pTok)) != 0)
                if (len < MAX_STRING_LEN)
                    string_val[len++] = ch;
-            string_val[len] = 0;
+            string_val[len] = '\0';
            yylvalpp->sc_ident = LookUpAddString(atable, string_val);
            break;
        case CPP_FLOATCONSTANT:
@@ -299,8 +298,7 @@ int ReadToken(TokenStream *pTok, yystypepp * yylvalpp)
            while ((ch >= '0' && ch <= '9')||(ch=='e'||ch=='E'||ch=='.')||(ch=='+'||ch=='-'))
            {
                if (len < MAX_SYMBOL_NAME_LEN) {
-                    symbol_name[len] = ch;
+                    symbol_name[len++] = ch;
-                    len++;
                    ch = lReadByte(pTok);
                }
            }
@@ -315,8 +313,7 @@ int ReadToken(TokenStream *pTok, yystypepp * yylvalpp)
            while ((ch >= '0' && ch <= '9'))
            {
                if (len < MAX_SYMBOL_NAME_LEN) {
-                    symbol_name[len] = ch;
+                    symbol_name[len++] = ch;
-                    len++;
                    ch = lReadByte(pTok);
                }
            }