Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame^] | 1 | From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001 |
| 2 | From: Cyrill Gorcunov <gorcunov@gmail.com> |
| 3 | Date: Wed, 14 Nov 2018 10:03:42 +0300 |
| 4 | Subject: [PATCH] preproc: Fix malformed parameter count |
| 5 | |
| 6 | readnum returns 64bit number which may become |
| 7 | a negative integer upon conversion which in |
| 8 | turn lead to out of bound array access. |
| 9 | |
| 10 | Fix it by explicit conversion with bounds check |
| 11 | |
| 12 | | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647] |
| 13 | |
| 14 | https://bugzilla.nasm.us/show_bug.cgi?id=3392528 |
| 15 | |
| 16 | Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> |
| 17 | |
| 18 | Upstream-Status: Backport |
| 19 | CVE: CVE-2018-19755 |
| 20 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 21 | --- |
| 22 | asm/preproc.c | 43 +++++++++++++++++++++---------------------- |
| 23 | 1 file changed, 21 insertions(+), 22 deletions(-) |
| 24 | |
| 25 | diff --git a/asm/preproc.c b/asm/preproc.c |
| 26 | index b6afee3..e5ad05a 100644 |
| 27 | --- a/asm/preproc.c |
| 28 | +++ b/asm/preproc.c |
| 29 | @@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn, |
| 30 | return false; |
| 31 | } |
| 32 | |
| 33 | +/* param should be a natural number [0; INT_MAX] */ |
| 34 | +static int read_param_count(const char *str) |
| 35 | +{ |
| 36 | + int result; |
| 37 | + bool err; |
| 38 | + |
| 39 | + result = readnum(str, &err); |
| 40 | + if (result < 0 || result > INT_MAX) { |
| 41 | + result = 0; |
| 42 | + nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]", |
| 43 | + str, 0, INT_MAX); |
| 44 | + } else if (err) { |
| 45 | + nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str); |
| 46 | + } |
| 47 | + return result; |
| 48 | +} |
| 49 | + |
| 50 | /* |
| 51 | * Count and mark off the parameters in a multi-line macro call. |
| 52 | * This is called both from within the multi-line macro expansion |
| 53 | @@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) |
| 54 | pp_directives[ct]); |
| 55 | } else { |
| 56 | searching.nparam_min = searching.nparam_max = |
| 57 | - readnum(tline->text, &j); |
| 58 | - if (j) |
| 59 | - nasm_error(ERR_NONFATAL, |
| 60 | - "unable to parse parameter count `%s'", |
| 61 | - tline->text); |
| 62 | + read_param_count(tline->text); |
| 63 | } |
| 64 | if (tline && tok_is_(tline->next, "-")) { |
| 65 | tline = tline->next->next; |
| 66 | @@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) |
| 67 | "`%s' expects a parameter count after `-'", |
| 68 | pp_directives[ct]); |
| 69 | else { |
| 70 | - searching.nparam_max = readnum(tline->text, &j); |
| 71 | - if (j) |
| 72 | - nasm_error(ERR_NONFATAL, |
| 73 | - "unable to parse parameter count `%s'", |
| 74 | - tline->text); |
| 75 | + searching.nparam_max = read_param_count(tline->text); |
| 76 | if (searching.nparam_min > searching.nparam_max) { |
| 77 | nasm_error(ERR_NONFATAL, |
| 78 | "minimum parameter count exceeds maximum"); |
| 79 | @@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname) |
| 80 | */ |
| 81 | static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) |
| 82 | { |
| 83 | - bool err; |
| 84 | - |
| 85 | tline = tline->next; |
| 86 | skip_white_(tline); |
| 87 | tline = expand_id(tline); |
| 88 | @@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) |
| 89 | if (!tok_type_(tline, TOK_NUMBER)) { |
| 90 | nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive); |
| 91 | } else { |
| 92 | - def->nparam_min = def->nparam_max = |
| 93 | - readnum(tline->text, &err); |
| 94 | - if (err) |
| 95 | - nasm_error(ERR_NONFATAL, |
| 96 | - "unable to parse parameter count `%s'", tline->text); |
| 97 | + def->nparam_min = def->nparam_max = read_param_count(tline->text); |
| 98 | } |
| 99 | if (tline && tok_is_(tline->next, "-")) { |
| 100 | tline = tline->next->next; |
| 101 | @@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) |
| 102 | nasm_error(ERR_NONFATAL, |
| 103 | "`%s' expects a parameter count after `-'", directive); |
| 104 | } else { |
| 105 | - def->nparam_max = readnum(tline->text, &err); |
| 106 | - if (err) { |
| 107 | - nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", |
| 108 | - tline->text); |
| 109 | - } |
| 110 | + def->nparam_max = read_param_count(tline->text); |
| 111 | if (def->nparam_min > def->nparam_max) { |
| 112 | nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum"); |
| 113 | def->nparam_max = def->nparam_min; |
| 114 | -- |
| 115 | 2.10.5.GIT |
| 116 | |