1berry/pawn-compiler
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix crash with long function names

Browse Source 
This fixes a buffer overrun introduced by commit eba8474294c1c106dd6e4f62a73160798f16458d.

The crash happens in do_call() when a function name was longer than
the max. allowed (sNAMEMAX) because of the leading '.' (dot) inserted
in command().

--------- test code --------

#include <a_samp>

OverlyLongFunctionNameYouCantEvenBotherToRead() {
	print("hey");
}

main() {
	OverlyLongFunctionNameYouCantEvenBotherToRead();
}

----- end of test code -----
This commit is contained in:
Zeex 2014-04-02 22:35:56 +07:00
parent 7ee5e98e30
commit b54729c03c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
source/compiler/sc6.c
View File

@ -395,14 +395,14 @@ static cell do_dump(FILE *fbin,char *params,cell opcode)
static cell do_call(FILE *fbin,char *params,cell opcode) static cell do_call(FILE *fbin,char *params,cell opcode)
{ {
char name[sNAMEMAX+1]; char name[sNAMEMAX+2]; /* +1 for a possible leading dot */
int i; int i;
symbol *sym; symbol *sym;
ucell p; ucell p;
for (i=0; !isspace(*params); i++,params++) { for (i=0; !isspace(*params); i++,params++) {
assert(*params!='\0'); assert(*params!='\0');
assert(i<sNAMEMAX); assert(i<sNAMEMAX+1);
name[i]=*params; name[i]=*params;
} /* for */ } /* for */
name[i]='\0'; name[i]='\0';