Re: Patch request: Fix a macro expansion segfault from unchecked overflo

m4-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch request: Fix a macro expansion segfault from unchecked overflo

From:	Eric Blake
Subject:	Re: Patch request: Fix a macro expansion segfault from unchecked overflow.
Date:	Fri, 8 Jul 2022 15:10:05 -0500
User-agent:	NeoMutt/20220429-157-d20c88

On Fri, Jun 24, 2022 at 10:29:02PM -0600, Byron Johnson wrote:
> Hello,
> 
> I've attached to this email a patch that fixes a segfault from
> ‘expand_user_macro’ so that integer overflows don't bypass the bounds
> check.  It applies to ‘branch-1.4’.

Thanks for catching a lurking bug!  The patch is not quite correct: by
using unsigned, you have avoided the overflow to negative that
triggered an out-of-bounds memory reference, but you did not prevent
overflow where a macro definition of `$4294967297' is identical to a
macro definition of `$1' whether or not your patch is applied.  Better
is to treat all cases of integer overflow as being larger than argc,
and expand to an empty string, rather than having aliased expansions
to earlier argument numbers, but that requires more than one line of
code to do properly.

> 
> Byron

> From 1807c3bfca8ecb761f46be149dc3cb1ea2b041d2 Mon Sep 17 00:00:00 2001
> From: Byron Johnson <byron@byronjohnson.net>
> Date: Fri, 24 Jun 2022 21:59:35 -0600
> Subject: [PATCH] Fix a macro expansion segfault from unchecked overflow.
> 
> This example reproduces the bug on 1.4 m4's before this fix:
>       % ~/local/m4/1.4/bin/m4 <<< 'define(`mac'\'', $2028558489387014291456) 
> mac'
>       /home/bairyn/local/m4/1.4/bin/m4: internal error detected; please 
> report this bug to <bug-m4@gnu.org>: Segmentation fault

That bug is ANCIENT!  It is still present in commit bd11691d (ie, the
very first git commit matching the release of 1.4 in Nov 1994); I have
no access to sources specific to earlier release versions to know when
the GNU extension of supporting $10 as the tenth parameter (rather
than the first parameter concatenated with literal 0) was actually
introduced, but that appears to be where the bug was introduced -
perhaps as far back as release 0.50 in Jan 1990.

Not every day you get to find and fix a bug that old!

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Patch request: Fix a macro expansion segfault from unchecked overflow., Eric Blake <=
- Re: Patch request: Fix a macro expansion segfault from unchecked overflow., Byron Johnson, 2022/07/09

Next by Date: Re: Patch request: Fix a macro expansion segfault from unchecked overflow.
Next by thread: Re: Patch request: Fix a macro expansion segfault from unchecked overflow.
Index(es):
- Date
- Thread