Fix crash when number of arguments exceeds sMAXARGS

During first pass the call to error() is ignored and therefore
doesn't break ouf of the loop. This causes stack courrption because
of OBB write to arglist.

Fixes #298.
This commit is contained in:
Zeex 2018-04-22 18:48:31 +06:00
parent 7863adff4d
commit 7a53a93574
3 changed files with 11 additions and 1 deletions

View File

@ -2078,8 +2078,10 @@ static int nesting=0;
* of the function; check it again for functions with a variable
* argument list
*/
if (argpos>=sMAXARGS)
if (argpos>=sMAXARGS) {
error(45); /* too many function arguments */
break;
} /* if */
stgmark((char)(sEXPRSTART+argpos));/* mark beginning of new expression in stage */
if (arglist[argpos]!=ARG_UNHANDLED)
error(58); /* argument already set */

View File

@ -45,6 +45,9 @@ set_tests_properties(gh_283 PROPERTIES PASS_REGULAR_EXPRESSION "\
.*\\.pwn\\(5\\) : warning 234: function is deprecated \\(symbol \"print\"\\)\
")
add_compiler_test(too_many_args_crash_gh_298 ${CMAKE_CURRENT_SOURCE_DIR}/too_many_args_crash_gh_298.pwn)
set_tests_properties(too_many_args_crash_gh_298 PROPERTIES PASS_REGULAR_EXPRESSION "too many function arguments")
# Crashers
#
# These tests simply check that the compiler doesn't crash.

View File

@ -0,0 +1,5 @@
native printf(const format[], ...);
main() {
printf("", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}