r322390 - [Lex] Avoid out-of-bounds dereference in LexAngledStringLiteral.

Hans Wennborg via cfe-commits cfe-commits at lists.llvm.org
Wed Jan 17 05:26:14 PST 2018 

Merged in r322649.

(Richard, please shout if you object to the merging; I figured since
you lgtm'ed it, this would be fine.)

On Fri, Jan 12, 2018 at 8:43 PM, Volodymyr Sapsai <vsapsai at apple.com> wrote:
> Hans, I am nominating this change to be merged into 6.0.0 release branch.
>
> Thanks,
> Volodymyr
>
>> On Jan 12, 2018, at 10:54, Volodymyr Sapsai via cfe-commits <cfe-commits at lists.llvm.org> wrote:
>>
>> Author: vsapsai
>> Date: Fri Jan 12 10:54:35 2018
>> New Revision: 322390
>>
>> URL: http://llvm.org/viewvc/llvm-project?rev=322390&view=rev
>> Log:
>> [Lex] Avoid out-of-bounds dereference in LexAngledStringLiteral.
>>
>> Fix makes the loop in LexAngledStringLiteral more like the loops in
>> LexStringLiteral, LexCharConstant. When we skip a character after
>> backslash, we need to check if we reached the end of the file instead of
>> reading the next character unconditionally.
>>
>> Discovered by OSS-Fuzz:
>> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3832
>>
>> rdar://problem/35572754
>>
>> Reviewers: arphaman, kcc, rsmith, dexonsmith
>>
>> Reviewed By: rsmith, dexonsmith
>>
>> Subscribers: cfe-commits, rsmith, dexonsmith
>>
>> Differential Revision: https://reviews.llvm.org/D41423
>>
>> Added:
>>    cfe/trunk/test/Lexer/null-character-in-literal.c   (with props)
>> Modified:
>>    cfe/trunk/lib/Lex/Lexer.cpp
>>    cfe/trunk/unittests/Lex/LexerTest.cpp
>>
>> Modified: cfe/trunk/lib/Lex/Lexer.cpp
>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Lex/Lexer.cpp?rev=322390&r1=322389&r2=322390&view=diff
>> ==============================================================================
>> --- cfe/trunk/lib/Lex/Lexer.cpp (original)
>> +++ cfe/trunk/lib/Lex/Lexer.cpp Fri Jan 12 10:54:35 2018
>> @@ -2009,18 +2009,21 @@ bool Lexer::LexAngledStringLiteral(Token
>>   const char *AfterLessPos = CurPtr;
>>   char C = getAndAdvanceChar(CurPtr, Result);
>>   while (C != '>') {
>> -    // Skip escaped characters.
>> -    if (C == '\\' && CurPtr < BufferEnd) {
>> -      // Skip the escaped character.
>> -      getAndAdvanceChar(CurPtr, Result);
>> -    } else if (C == '\n' || C == '\r' ||             // Newline.
>> -               (C == 0 && (CurPtr-1 == BufferEnd ||  // End of file.
>> -                           isCodeCompletionPoint(CurPtr-1)))) {
>> +    // Skip escaped characters.  Escaped newlines will already be processed by
>> +    // getAndAdvanceChar.
>> +    if (C == '\\')
>> +      C = getAndAdvanceChar(CurPtr, Result);
>> +
>> +    if (C == '\n' || C == '\r' ||             // Newline.
>> +        (C == 0 && (CurPtr-1 == BufferEnd ||  // End of file.
>> +                    isCodeCompletionPoint(CurPtr-1)))) {
>>       // If the filename is unterminated, then it must just be a lone <
>>       // character.  Return this as such.
>>       FormTokenWithChars(Result, AfterLessPos, tok::less);
>>       return true;
>> -    } else if (C == 0) {
>> +    }
>> +
>> +    if (C == 0) {
>>       NulCharacter = CurPtr-1;
>>     }
>>     C = getAndAdvanceChar(CurPtr, Result);
>>
>> Added: cfe/trunk/test/Lexer/null-character-in-literal.c
>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Lexer/null-character-in-literal.c?rev=322390&view=auto
>> ==============================================================================
>> Binary file - no diff available.
>>
>> Propchange: cfe/trunk/test/Lexer/null-character-in-literal.c
>> ------------------------------------------------------------------------------
>>    svn:mime-type = application/octet-stream
>>
>> Modified: cfe/trunk/unittests/Lex/LexerTest.cpp
>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/unittests/Lex/LexerTest.cpp?rev=322390&r1=322389&r2=322390&view=diff
>> ==============================================================================
>> --- cfe/trunk/unittests/Lex/LexerTest.cpp (original)
>> +++ cfe/trunk/unittests/Lex/LexerTest.cpp Fri Jan 12 10:54:35 2018
>> @@ -475,6 +475,8 @@ TEST_F(LexerTest, GetBeginningOfTokenWit
>>
>> TEST_F(LexerTest, AvoidPastEndOfStringDereference) {
>>   EXPECT_TRUE(Lex("  //  \\\n").empty());
>> +  EXPECT_TRUE(Lex("#include <\\\\").empty());
>> +  EXPECT_TRUE(Lex("#include <\\\\\n").empty());
>> }
>>
>> TEST_F(LexerTest, StringizingRasString) {
>>
>>
>> _______________________________________________
>> cfe-commits mailing list
>> cfe-commits at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>

More information about the cfe-commits mailing list