diff options
author | Alexander Richardson <Alexander.Richardson@cl.cam.ac.uk> | 2019-09-10 07:54:11 +0100 |
---|---|---|
committer | Arnold Robbins <arnold@skeeve.com> | 2019-09-10 09:54:11 +0300 |
commit | cbf924342b63a095a4c6842280c3085b1b63ae45 (patch) | |
tree | 2e3d6c89a6c5a20b3336cadf5438850063fbb9aa /lex.c | |
parent | 50e6962495a6f36f545d4102ccb82a2dc50b0a20 (diff) | |
download | one-true-awk-cbf924342b63a095a4c6842280c3085b1b63ae45.tar.gz |
Fix out-of-bounds access in gototab array for caret character (#47)
When matching a caret, the expression `f->gototab[s][c] = f->curstat;` in
cgoto() will index the 2D-array gototab with [s][261]. However, gototab
is declared as being of size [NSTATES][NCHARS], so [32][259]. Therefore,
this assignment will write to the state for character 0x1.
I'm not sure how to create a regression test for this, but increasing the
array size to HAT+1 values fixes the error and the tests still pass.
I found this issue while running awk on a CHERI system with sub-object
protection enabled. On x86, this can be reproduced by compiling awk
with -fsanitize=undefined.
Diffstat (limited to 'lex.c')
0 files changed, 0 insertions, 0 deletions