ref: 21c1937146f4b5acc6e3a5a695116419f19554ad
parent: f00413b6a611d855fc398604c10a5b8c0afa596b
author: Roberto E. Vargas Caballero <k0ga@shike2.com>
date: Fri Jul 17 18:24:22 EDT 2015
Remove buffer overflow in expand() Macro expansions are done replacing the macro invocation by the macro expansion. It means that the size of the line is different after the operation, but there was no check of this new size.
--- a/cc1/cpp.c
+++ b/cc1/cpp.c
@@ -210,12 +210,16 @@
fprintf(stderr, "macro '%s' expanded to :'%s'\n", macroname, buffer);
len = strlen(buffer);
+ if (begin - input->line + len >= LINESIZ-1)
+ error("macro expansion too long");
+
/* cut macro invocation */
memmove(begin, input->p, input->p - begin);
- memmove(begin + len, begin, len);
/* paste macro expansion */
+ memmove(begin + len, begin, len);
memcpy(begin, buffer, len);
+
input->p = input->begin = begin;
return 1;