Hello, this seems to be the same problem seen in #391051 for regular expressions (collect_RE).
In this bug we overrun the size limit of string_buff (tempbuff._string_buff) in function collect_string. Attached patch adds a similar check like in #391051 to collect_string. With that applied the build of win32-loader would fail with this message: awk: line 1: regular expression /grub2 ... exceeds implementation size limit Kind regards, Bernhard (gdb) print sizeof(tempbuff._string_buff) $1 = 400 (gdb) watch tempbuff._string_buff[399] ... Hardware watchpoint 1: tempbuff._string_buff[399] Old value = 0 '\000' New value = 100 'd' 0x80004c60 in collect_string () at scan.c:985 985 switch (scan_code[*p++ = next()]) (gdb) bt #0 0x80004c60 in collect_string () at scan.c:985 #1 yylex () at scan.c:651 #2 0x80002088 in yyparse () at y.tab.c:1735 #3 0x80003f15 in parse () at parse.y:1368 #4 0x8000188c in main (argc=3, argv=0xbffff274) at main.c:63
From b7bea87e72ee6a72691e1fa54d2a4555c9698026 Mon Sep 17 00:00:00 2001 From: root <root@debian> Date: Thu, 20 Apr 2017 16:54:05 +0200 Subject: Do not crash if argument is too long for our buffer This patch modifies collect_string and is a copy of the patch added to fix collect_RE in these bugs: https://bugs.launchpad.net/bug/23494 https://bugs.debian.org/391051 Bug-Debian: https://bugs.debian.org/860751 --- scan.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/scan.c b/scan.c index ef4df50..e343890 100644 --- a/scan.c +++ b/scan.c @@ -982,6 +982,15 @@ collect_string() int e_flag = 0 ; /* on if have an escape char */ while (1) + { + if (p >= string_buff + MIN_SPRINTF - 2) + { + compile_error( + "regular expression /%.10s ..." + " exceeds implementation size limit", + string_buff) ; + mawk_exit(2) ; + } switch (scan_code[*p++ = next()]) { case SC_DQUOTE: /* done */ @@ -1016,6 +1025,7 @@ collect_string() default: break ; } + } out: yylval.ptr = (PTR) new_STRING( -- 2.11.0
