diff options
| author | mtb <39337159+mtb0x1@users.noreply.github.com> | 2024-06-19 01:09:19 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-18 16:09:19 -0700 |
| commit | 408bc7fbbe193648cb242bdbd096205aa776634b (patch) | |
| tree | aa179537fc8d2d40ab84a7d263aa10d03e83af4f /scripts | |
| parent | c3b9cde9d99efe46fc34af1d5b27351f34962e94 (diff) | |
| download | binaryen-408bc7fbbe193648cb242bdbd096205aa776634b.tar.gz binaryen-408bc7fbbe193648cb242bdbd096205aa776634b.tar.bz2 binaryen-408bc7fbbe193648cb242bdbd096205aa776634b.zip | |
fix(#6671): fix possible stack buffer overflow in gen-s-parser.inc (#6678)
The stack buffer overflow is occurring because memcpy(buf, op.data(),
op.size()); can write up to op.size() bytes into buf, but buf is only 33
bytes long. If op.size() is greater than 33, this will result in a
buffer overflow.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/gen-s-parser.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/scripts/gen-s-parser.py b/scripts/gen-s-parser.py index d75be7635..2aa158c59 100755 --- a/scripts/gen-s-parser.py +++ b/scripts/gen-s-parser.py @@ -708,6 +708,10 @@ def instruction_parser(): printer.print_line("auto op = *keyword;") printer.print_line("char buf[{}] = {{}};".format(inst_length + 1)) + printer.print_line("// Ensure we do not copy more than the buffer can hold") + printer.print_line("if (op.size() >= sizeof(buf)) {") + printer.print_line(" goto parse_error;") + printer.print_line("}") printer.print_line("memcpy(buf, op.data(), op.size());") def print_leaf(expr, inst): @@ -754,9 +758,11 @@ def instruction_parser(): def print_header(): print("// DO NOT EDIT! This file generated by scripts/gen-s-parser.py\n") print("// clang-format off\n") + print("// NOLINTBEGIN\n") def print_footer(): + print("\n// NOLINTEND") print("\n// clang-format on") |