diff options
author | Gavin Howard <gavin@yzena.com> | 2022-10-24 20:29:37 -0600 |
---|---|---|
committer | Gavin Howard <gavin@yzena.com> | 2022-10-24 20:31:55 -0600 |
commit | 5786f77251cd9a973e1659bd5ed07a0738438d15 (patch) | |
tree | b1edefd0b944e72579fe7071a582097b6ed797a6 | |
parent | e84ba850093ab0db5530a06c1021935c2db3998c (diff) | |
download | bc-5786f77251cd9a973e1659bd5ed07a0738438d15.tar.gz |
Fix a crash found by AFL
This crash was caused by sending string arguments to
bc_program_asciifyNum(), which shouldn't happen. After all, it's got
"Num" in the name. So I added an if statement for it.
This was a crash from a bug in new code for this release, so we caught a
bug before release! Yay!
Signed-off-by: Gavin Howard <gavin@yzena.com>
-rw-r--r-- | src/program.c | 10 | ||||
-rw-r--r-- | tests/bc/errors/36.txt | 11 |
2 files changed, 20 insertions, 1 deletions
diff --git a/src/program.c b/src/program.c index 0a54318a..e46642d5 100644 --- a/src/program.c +++ b/src/program.c @@ -2298,7 +2298,15 @@ bc_program_asciify(BcProgram* p) for (i = 0; i < v->len; ++i) { BcNum* num = (BcNum*) bc_vec_item(v, i); - temp_str[i] = (char) bc_program_asciifyNum(p, num); + + if (BC_PROG_STR(num)) + { + temp_str[i] = (bc_program_string(p, num))[0]; + } + else + { + temp_str[i] = (char) bc_program_asciifyNum(p, num); + } } temp_str[v->len] = '\0'; diff --git a/tests/bc/errors/36.txt b/tests/bc/errors/36.txt new file mode 100644 index 00000000..5929bdb7 --- /dev/null +++ b/tests/bc/errors/36.txt @@ -0,0 +1,11 @@ +n0 +for (i*= 9; i < 725; ++i)strse=a[0] = asciify(180) +d2 +asciify(a[]) +x = a433 +asciify(a[]) +x = asciify(a[]) +x = asciify(18 = 72@II^II +F;FR2 +F;FRI3 +Qor
\ No newline at end of file |