From 8b8722d2b27119545de3d69388af74489c62d951 Mon Sep 17 00:00:00 2001 From: "Andrey A. Chernov" Date: Wed, 28 Nov 2001 09:50:24 +0000 Subject: [PATCH] Rewrite buffer handling code a bit to handle large values. Add more checks for data overflow. --- usr.bin/colldef/common.h | 1 + usr.bin/colldef/parse.y | 10 +++++++++- usr.bin/colldef/scan.l | 9 +++++---- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/usr.bin/colldef/common.h b/usr.bin/colldef/common.h index 9497e177b3ce..316490d4eb8d 100644 --- a/usr.bin/colldef/common.h +++ b/usr.bin/colldef/common.h @@ -3,6 +3,7 @@ */ #define CHARMAP_SYMBOL_LEN 64 +#define BUFSIZE 80 extern int line_no; diff --git a/usr.bin/colldef/parse.y b/usr.bin/colldef/parse.y index 2d47cf66227b..ae7f06ec8725 100644 --- a/usr.bin/colldef/parse.y +++ b/usr.bin/colldef/parse.y @@ -61,7 +61,7 @@ char *out_file = "LC_COLLATE"; %} %union { u_char ch; - u_char str[STR_LEN]; + u_char str[BUFSIZE]; } %token SUBSTITUTE WITH ORDER RANGE %token STRING @@ -90,6 +90,8 @@ substitute : SUBSTITUTE CHAR WITH STRING { yyerror("NUL character can't be substituted"); if (strchr($4, $2) != NULL) yyerror("Char 0x%02x substitution is recursive", $2); + if (strlen($4) + 1 > STR_LEN) + yyerror("Char 0x%02x substitution is too long", $2); strcpy(__collate_substitute_table[$2], $4); } ; @@ -138,6 +140,8 @@ item : CHAR { | CHAIN { if (chain_index >= TABLE_SIZE - 1) yyerror("__collate_chain_pri_table overflow"); + if (strlen($1) + 1 > STR_LEN) + yyerror("Chain %d is too long", chain_index); strcpy(__collate_chain_pri_table[chain_index].str, $1); __collate_chain_pri_table[chain_index++].prim = prim_pri++; } @@ -188,6 +192,8 @@ prim_sub_item : CHAR { | CHAIN { if (chain_index >= TABLE_SIZE - 1) yyerror("__collate_chain_pri_table overflow"); + if (strlen($1) + 1 > STR_LEN) + yyerror("Chain %d is too long", chain_index); strcpy(__collate_chain_pri_table[chain_index].str, $1); __collate_chain_pri_table[chain_index++].prim = prim_pri; } @@ -215,6 +221,8 @@ sec_sub_item : CHAR { | CHAIN { if (chain_index >= TABLE_SIZE - 1) yyerror("__collate_chain_pri_table overflow"); + if (strlen($1) + 1 > STR_LEN) + yyerror("Chain %d is too long", chain_index); strcpy(__collate_chain_pri_table[chain_index].str, $1); __collate_chain_pri_table[chain_index].prim = prim_pri; __collate_chain_pri_table[chain_index++].sec = sec_pri++; diff --git a/usr.bin/colldef/scan.l b/usr.bin/colldef/scan.l index ff24cd288445..8085440880a9 100644 --- a/usr.bin/colldef/scan.l +++ b/usr.bin/colldef/scan.l @@ -39,7 +39,7 @@ #include "y.tab.h" int line_no = 1, save_no, fromsubs; -u_char buf[80], *ptr; +u_char buf[BUFSIZE], *ptr; FILE *map_fp; YY_BUFFER_STATE main_buf, map_buf; #ifdef FLEX_DEBUG @@ -100,7 +100,7 @@ YYSTYPE yylval; yylval.ch = *yytext; return CHAR; } - if(yyleng > STR_LEN - 1) + if(yyleng > BUFSIZE - 1) errx(EX_UNAVAILABLE, "chain buffer overflow near line %u", line_no); strcpy(yylval.str, yytext); @@ -145,12 +145,13 @@ YYSTYPE yylval; errx(EX_UNAVAILABLE, "non-empty name expected near line %u", line_no); *ptr = '\0'; - for (i = 0; i <= UCHAR_MAX; i++) + for (i = 0; i <= UCHAR_MAX; i++) { if (strcmp(charmap_table[i], buf) == 0) goto findit; + } errx(EX_UNAVAILABLE, "name <%s> not 'charmap'-defined near line %u", buf, line_no); - findit: + findit: yylval.ch = i; if (fromsubs) BEGIN(subs);