syohex
commented
9 years ago Buffer overflow is occurred at LexContext::clearBuffer
I applied following patch for checking buffer overflow and rebuild Compiler::Lexer.
diff --git a/include/lexer.hpp b/include/lexer.hpp
index e0efdc1..ffe9796 100644
--- a/include/lexer.hpp
+++ b/include/lexer.hpp
@@ -128,6 +128,8 @@ public:
}
};
+extern size_t debug_buffer_size;
+
class LexContext {
public:
ScriptManager *smgr;
@@ -153,6 +155,10 @@ public:
token_buffer[0] = EOL;
buffer_idx = 0;
token_buffer++;
+ if (token_buffer > (buffer_head + debug_buffer_size)) {
+ fprintf(stderr, "#### BUFFER OVERFLOW ####\n");
+ exit(1);
+ }
token_buffer[0] = EOL;
}
diff --git a/src/compiler/lexer/Compiler_lexer.cpp b/src/compiler/lexer/Compiler_lexer.cpp
index 96c195d..f745b1f 100644
--- a/src/compiler/lexer/Compiler_lexer.cpp
+++ b/src/compiler/lexer/Compiler_lexer.cpp
@@ -10,12 +10,13 @@ namespace TokenKind = Enum::Token::Kind;
Module::Module(const char *name_, const char *args_)
: name(name_), args(args_) {}
-
+size_t debug_buffer_size;
LexContext::LexContext(const char *filename, char *script)
: progress(0), buffer_idx(0)
{
script_size = strlen(script) + 1;
token_buffer = (char *)malloc((script_size + EXTEND_BUFFER_SIZE) * 2);
+ debug_buffer_size = ((script_size + EXTEND_BUFFER_SIZE) * 2);
buffer_head = token_buffer;
token_buffer[0] = EOL;
prev_type = TokenType::Undefined;Then run the code.
% cat test.pl
use Compiler::Lexer;
my $string = "\n" x 15;
$string = "#";
Compiler::Lexer->new->tokenize($string);
% perl test.pl
#### BUFFER OVERFLOW ####
It appears that an input string with at least 15 new-lines which is then modified to have no trailing new-line causes the tokenizer to dump core.
Outputs:
My setup: