From 7a53a93574ab24fbb1eb5661bfd7e2352a293dc0 Mon Sep 17 00:00:00 2001 From: Zeex Date: Sun, 22 Apr 2018 18:48:31 +0600 Subject: [PATCH] Fix crash when number of arguments exceeds sMAXARGS During first pass the call to error() is ignored and therefore doesn't break ouf of the loop. This causes stack courrption because of OBB write to arglist. Fixes #298. --- source/compiler/sc3.c | 4 +++- source/compiler/tests/CMakeLists.txt | 3 +++ source/compiler/tests/too_many_args_crash_gh_298.pwn | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 source/compiler/tests/too_many_args_crash_gh_298.pwn diff --git a/source/compiler/sc3.c b/source/compiler/sc3.c index 235680e..e583c3f 100644 --- a/source/compiler/sc3.c +++ b/source/compiler/sc3.c @@ -2078,8 +2078,10 @@ static int nesting=0; * of the function; check it again for functions with a variable * argument list */ - if (argpos>=sMAXARGS) + if (argpos>=sMAXARGS) { error(45); /* too many function arguments */ + break; + } /* if */ stgmark((char)(sEXPRSTART+argpos));/* mark beginning of new expression in stage */ if (arglist[argpos]!=ARG_UNHANDLED) error(58); /* argument already set */ diff --git a/source/compiler/tests/CMakeLists.txt b/source/compiler/tests/CMakeLists.txt index a341039..9b3d52c 100644 --- a/source/compiler/tests/CMakeLists.txt +++ b/source/compiler/tests/CMakeLists.txt @@ -45,6 +45,9 @@ set_tests_properties(gh_283 PROPERTIES PASS_REGULAR_EXPRESSION "\ .*\\.pwn\\(5\\) : warning 234: function is deprecated \\(symbol \"print\"\\)\ ") +add_compiler_test(too_many_args_crash_gh_298 ${CMAKE_CURRENT_SOURCE_DIR}/too_many_args_crash_gh_298.pwn) +set_tests_properties(too_many_args_crash_gh_298 PROPERTIES PASS_REGULAR_EXPRESSION "too many function arguments") + # Crashers # # These tests simply check that the compiler doesn't crash. diff --git a/source/compiler/tests/too_many_args_crash_gh_298.pwn b/source/compiler/tests/too_many_args_crash_gh_298.pwn new file mode 100644 index 0000000..525936c --- /dev/null +++ b/source/compiler/tests/too_many_args_crash_gh_298.pwn @@ -0,0 +1,5 @@ +native printf(const format[], ...); + +main() { + printf("", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); +}