[clang] 23cc8eb - [clang][lex] Speculative fix for buffer overrun on raw string parse

Jan Svoboda via cfe-commits cfe-commits at lists.llvm.org
Mon Mar 15 07:14:57 PDT 2021 

Author: Jan Svoboda
Date: 2021-03-15T15:13:47+01:00
New Revision: 23cc8ebf59c661ebb988370a0edbcda37b61080a

URL: https://github.com/llvm/llvm-project/commit/23cc8ebf59c661ebb988370a0edbcda37b61080a
DIFF: https://github.com/llvm/llvm-project/commit/23cc8ebf59c661ebb988370a0edbcda37b61080a.diff

LOG: [clang][lex] Speculative fix for buffer overrun on raw string parse

This attempts to fix a (non-deterministic) buffer overrun when parsing raw string literals during modular build.

Similar fix to 4e5b5c36f47c9a406ea7f6b4f89fae477693973a.

Reviewed By: beccadax

Differential Revision: https://reviews.llvm.org/D94950

Added: 
    

Modified: 
    clang/lib/Lex/LiteralSupport.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/Lex/LiteralSupport.cpp b/clang/lib/Lex/LiteralSupport.cpp
index 6c3cdbdf6492..df98516ee61d 100644
--- a/clang/lib/Lex/LiteralSupport.cpp
+++ b/clang/lib/Lex/LiteralSupport.cpp
@@ -1628,16 +1628,28 @@ void StringLiteralParser::init(ArrayRef<Token> StringToks){
 
     // Check for raw string
     if (ThisTokBuf[0] == 'R') {
+      if (ThisTokBuf[1] != '"') {
+        // The file may have come from PCH and then changed after loading the
+        // PCH; Fail gracefully.
+        return DiagnoseLexingError(StringToks[i].getLocation());
+      }
       ThisTokBuf += 2; // skip R"
 
+      // C++11 [lex.string]p2: A `d-char-sequence` shall consist of at most 16
+      // characters.
+      constexpr unsigned MaxRawStrDelimLen = 16;
+
       const char *Prefix = ThisTokBuf;
-      while (ThisTokBuf[0] != '(')
+      while (ThisTokBuf - Prefix < MaxRawStrDelimLen && ThisTokBuf[0] != '(')
         ++ThisTokBuf;
+      if (ThisTokBuf[0] != '(')
+        return DiagnoseLexingError(StringToks[i].getLocation());
       ++ThisTokBuf; // skip '('
 
       // Remove same number of characters from the end
       ThisTokEnd -= ThisTokBuf - Prefix;
-      assert(ThisTokEnd >= ThisTokBuf && "malformed raw string literal");
+      if (ThisTokEnd < ThisTokBuf)
+        return DiagnoseLexingError(StringToks[i].getLocation());
 
       // C++14 [lex.string]p4: A source-file new-line in a raw string literal
       // results in a new-line in the resulting execution string-literal.

More information about the cfe-commits mailing list