On Mon, Nov 16, 2015 at 12:45:08PM -0500, Michael McConville wrote:
> I may be missing something obvious here, but it seems that the below
> indices should be unsigned. str_table has UCHAR_MAX elements, so it
> expects to be indexed by chars > 127.
>
> I'm currently digging through a bunch of segfaults found by American
> Fuzzy Lop (afl). I don't think I've come across this in the results yet,
> but it caught my eye.
>
> Bounds checks may be necessary for the latter two hunks.
>
> Thoughts?
Looking at the grammar and lexer, the functions letter_node(),
array_mode() and function_node() are called with the lexical value of
a LETTER symbol only, and these lexical values are restricted to
string of lower case alphabetic chars and numbers. So the actual
values alway fit into an int witjpou sign extension problems.
Still, you diff might make sense from a general type safety point of
view,
-Otto
>
>
> Index: bc.y
> ===================================================================
> RCS file: /cvs/src/usr.bin/bc/bc.y,v
> retrieving revision 1.48
> diff -u -p -r1.48 bc.y
> --- bc.y 10 Oct 2015 19:28:54 -0000 1.48
> +++ bc.y 16 Nov 2015 17:22:05 -0000
> @@ -891,7 +891,7 @@ letter_node(char *str)
>
> len = strlen(str);
> if (len == 1 && str[0] != '_')
> - return cs(str_table[(int)str[0]]);
> + return cs(str_table[(u_char)str[0]]);
> else
> return lookup(str, len, 'L');
> }
> @@ -903,7 +903,7 @@ array_node(char *str)
>
> len = strlen(str);
> if (len == 1 && str[0] != '_')
> - return cs(str_table[(int)str[0] - 'a' + ARRAY_CHAR]);
> + return cs(str_table[(u_char)str[0] - 'a' + ARRAY_CHAR]);
> else
> return lookup(str, len, 'A');
> }
> @@ -915,7 +915,7 @@ function_node(char *str)
>
> len = strlen(str);
> if (len == 1 && str[0] != '_')
> - return cs(str_table[(int)str[0] - 'a' + FUNC_CHAR]);
> + return cs(str_table[(u_char)str[0] - 'a' + FUNC_CHAR]);
> else
> return lookup(str, len, 'F');
> }
