1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Possible crash in QMakeSourceFileInfo

Browse Source 
CID 155005: Possible illegal access in string. Some loops were
reading the buffer without checking the bounds.

Change-Id: I910671a6d56808138ec2bb5d96bd7edf78b20f73
Reviewed-by: Edward Welbourne <edward.welbourne@theqtcompany.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
This commit is contained in:
Jesus Fernandez 2016-04-15 15:27:45 +02:00
parent f3d38d0c29
commit 3da965ccd9
1 changed files with 40 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
qmake/generators/makefiledeps.cpp
View File

@ -409,9 +409,9 @@ static bool matchWhileUnsplitting(const char *buffer, int buffer_len, int start,
int *matchlen, int *lines) int *matchlen, int *lines)
{ {
int x = start; int x = start;
for (int n = 0; n < needle_len && x < buffer_len; for (int n = 0; n < needle_len;
n++, x = skipEscapedLineEnds(buffer, buffer_len, x + 1, lines)) { n++, x = skipEscapedLineEnds(buffer, buffer_len, x + 1, lines)) {
if (buffer[x] != needle[n]) if (x >= buffer_len || buffer[x] != needle[n])
return false; return false;
} }
// That also skipped any remaining BSNLs immediately after the match. // That also skipped any remaining BSNLs immediately after the match.
@ -572,24 +572,29 @@ bool QMakeSourceFileInfo::findDeps(SourceFile *file)
++x; ++x;
if (buffer_len >= x + 12 && !strncmp(buffer + x, "includehint", 11) && if (buffer_len >= x + 12 && !strncmp(buffer + x, "includehint", 11) &&
(buffer[x + 11] == ' ' || buffer[x + 11] == '>')) { (buffer[x + 11] == ' ' || buffer[x + 11] == '>')) {
for (x += 11; buffer[x] != '>'; ++x) {} // skip for (x += 11; x < buffer_len && buffer[x] != '>'; ++x) {} // skip
int inc_len = 0; int inc_len = 0;
for (x += 1 ; buffer[x + inc_len] != '<'; ++inc_len) {} // skip for (++x; x + inc_len < buffer_len && buffer[x + inc_len] != '<'; ++inc_len) {} // skip
buffer[x + inc_len] = '\0'; if (x + inc_len < buffer_len) {
inc = buffer + x; buffer[x + inc_len] = '\0';
inc = buffer + x;
}
} else if (buffer_len >= x + 13 && !strncmp(buffer + x, "customwidget", 12) && } else if (buffer_len >= x + 13 && !strncmp(buffer + x, "customwidget", 12) &&
(buffer[x + 12] == ' ' || buffer[x + 12] == '>')) { (buffer[x + 12] == ' ' || buffer[x + 12] == '>')) {
for (x += 13; buffer[x] != '>'; ++x) {} // skip up to > for (x += 13; x < buffer_len && buffer[x] != '>'; ++x) {} // skip up to >
while(x < buffer_len) { while(x < buffer_len) {
for (x++; buffer[x] != '<'; ++x) {} // skip up to < while (++x < buffer_len && buffer[x] != '<') {} // skip up to <
x++; x++;
if(buffer_len >= x + 7 && !strncmp(buffer+x, "header", 6) && if(buffer_len >= x + 7 && !strncmp(buffer+x, "header", 6) &&
(buffer[x + 6] == ' ' || buffer[x + 6] == '>')) { (buffer[x + 6] == ' ' || buffer[x + 6] == '>')) {
for (x += 7; buffer[x] != '>'; ++x) {} // skip up to > for (x += 7; x < buffer_len && buffer[x] != '>'; ++x) {} // skip up to >
int inc_len = 0; int inc_len = 0;
for (x += 1 ; buffer[x + inc_len] != '<'; ++inc_len) {} // skip for (++x; x + inc_len < buffer_len && buffer[x + inc_len] != '<';
buffer[x + inc_len] = '\0'; ++inc_len) {} // skip
inc = buffer + x; if (x + inc_len < buffer_len) {
buffer[x + inc_len] = '\0';
inc = buffer + x;
}
break; break;
} else if(buffer_len >= x + 14 && !strncmp(buffer+x, "/customwidget", 13) && } else if(buffer_len >= x + 14 && !strncmp(buffer+x, "/customwidget", 13) &&
(buffer[x + 13] == ' ' || buffer[x + 13] == '>')) { (buffer[x + 13] == ' ' || buffer[x + 13] == '>')) {
@ -599,20 +604,18 @@ bool QMakeSourceFileInfo::findDeps(SourceFile *file)
} }
} else if(buffer_len >= x + 8 && !strncmp(buffer + x, "include", 7) && } else if(buffer_len >= x + 8 && !strncmp(buffer + x, "include", 7) &&
(buffer[x + 7] == ' ' || buffer[x + 7] == '>')) { (buffer[x + 7] == ' ' || buffer[x + 7] == '>')) {
for (x += 8; buffer[x] != '>'; ++x) { for (x += 8; x < buffer_len && buffer[x] != '>'; ++x) {
if (buffer_len >= x + 9 && buffer[x] == 'i' && if (buffer_len >= x + 9 && buffer[x] == 'i' &&
!strncmp(buffer + x, "impldecl", 8)) { !strncmp(buffer + x, "impldecl", 8)) {
for (x += 8; buffer[x] != '='; ++x) {} // skip for (x += 8; x < buffer_len && buffer[x] != '='; ++x) {} // skip
if (buffer[x] != '=') while (++x < buffer_len && (buffer[x] == '\t' || buffer[x] == ' ')) {} // skip
continue;
for (++x; buffer[x] == '\t' || buffer[x] == ' '; ++x) {} // skip
char quote = 0; char quote = 0;
if (buffer[x] == '\'' || buffer[x] == '"') { if (x < buffer_len && (buffer[x] == '\'' || buffer[x] == '"')) {
quote = buffer[x]; quote = buffer[x];
++x; ++x;
} }
int val_len; int val_len;
for(val_len = 0; true; ++val_len) { for (val_len = 0; x + val_len < buffer_len; ++val_len) {
if(quote) { if(quote) {
if (buffer[x + val_len] == quote) if (buffer[x + val_len] == quote)
break; break;
@ -622,16 +625,22 @@ bool QMakeSourceFileInfo::findDeps(SourceFile *file)
} }
} }
//? char saved = buffer[x + val_len]; //? char saved = buffer[x + val_len];
buffer[x + val_len] = '\0'; if (x + val_len < buffer_len) {
if(!strcmp(buffer+x, "in implementation")) { buffer[x + val_len] = '\0';
//### do this if (!strcmp(buffer + x, "in implementation")) {
//### do this
}
} }
} }
} }
int inc_len = 0; int inc_len = 0;
for (x += 1 ; buffer[x + inc_len] != '<'; ++inc_len) {} // skip for (++x; x + inc_len < buffer_len && buffer[x + inc_len] != '<';
buffer[x + inc_len] = '\0'; ++inc_len) {} // skip
inc = buffer + x;
if (x + inc_len < buffer_len) {
buffer[x + inc_len] = '\0';
inc = buffer + x;
}
} }
} }
//read past new line now.. //read past new line now..
@ -645,14 +654,16 @@ bool QMakeSourceFileInfo::findDeps(SourceFile *file)
#define SKIP_BSNL(pos) skipEscapedLineEnds(buffer, buffer_len, (pos), &line_count) #define SKIP_BSNL(pos) skipEscapedLineEnds(buffer, buffer_len, (pos), &line_count)
// Seek code or directive, skipping comments and space: // Seek code or directive, skipping comments and space:
for(; x < buffer_len; ++x) { for (; (x = SKIP_BSNL(x)) < buffer_len; ++x) {
x = SKIP_BSNL(x);
if (buffer[x] == ' ' || buffer[x] == '\t') { if (buffer[x] == ' ' || buffer[x] == '\t') {
// keep going // keep going
} else if (buffer[x] == '/') { } else if (buffer[x] == '/') {
int extralines = 0; int extralines = 0;
int y = skipEscapedLineEnds(buffer, buffer_len, x + 1, &extralines); int y = skipEscapedLineEnds(buffer, buffer_len, x + 1, &extralines);
if (buffer[y] == '/') { // C++-style comment if (y >= buffer_len) {
x = y;
break;
} else if (buffer[y] == '/') { // C++-style comment
line_count += extralines; line_count += extralines;
x = SKIP_BSNL(y + 1); x = SKIP_BSNL(y + 1);
while (x < buffer_len && !qmake_endOfLine(buffer[x])) while (x < buffer_len && !qmake_endOfLine(buffer[x]))
@ -663,8 +674,7 @@ bool QMakeSourceFileInfo::findDeps(SourceFile *file)
} else if (buffer[y] == '*') { // C-style comment } else if (buffer[y] == '*') { // C-style comment
line_count += extralines; line_count += extralines;
x = y; x = y;
while (++x < buffer_len) { while ((x = SKIP_BSNL(++x)) < buffer_len) {
x = SKIP_BSNL(x);
if (buffer[x] == '*') { if (buffer[x] == '*') {
extralines = 0; extralines = 0;
y = skipEscapedLineEnds(buffer, buffer_len, y = skipEscapedLineEnds(buffer, buffer_len,