Fix out-of-bounds access in gototab array for caret character (#47)
When matching a caret, the expression `f->gototab[s][c] = f->curstat;` in cgoto() will index the 2D-array gototab with [s][261]. However, gototab is declared as being of size [NSTATES][NCHARS], so [32][259]. Therefore, this assignment will write to the state for character 0x1. I'm not sure how to create a regression test for this, but increasing the array size to HAT+1 values fixes the error and the tests still pass. I found this issue while running awk on a CHERI system with sub-object protection enabled. On x86, this can be reproduced by compiling awk with -fsanitize=undefined.
This commit is contained in:
Alexander Richardson
Arnold Robbins
parent
50e6962495
commit
cbf924342b
3
awk.h
3
awk.h
@ -212,6 +212,7 @@ extern int pairstack[], paircnt;
|
||||
|
||||
#define NCHARS (256+3) /* 256 handles 8-bit chars; 128 does 7-bit */
|
||||
/* watch out in match(), etc. */
|
||||
#define HAT (NCHARS+2) /* matches ^ in regular expr */
|
||||
#define NSTATES 32
|
||||
|
||||
typedef struct rrow {
|
||||
@ -225,7 +226,7 @@ typedef struct rrow {
|
||||
} rrow;
|
||||
|
||||
typedef struct fa {
|
||||
uschar gototab[NSTATES][NCHARS];
|
||||
uschar gototab[NSTATES][HAT + 1];
|
||||
uschar out[NSTATES];
|
||||
uschar *restr;
|
||||
int *posns[NSTATES];
|
||||
|
||||
Loading…
Reference in New Issue
Block a user