summaryrefslogtreecommitdiff
path: root/lib-src/make-docfile.c
diff options
context:
space:
mode:
authorPaul Eggert <eggert@cs.ucla.edu>2017-04-29 23:35:27 -0700
committerPaul Eggert <eggert@cs.ucla.edu>2017-04-29 23:35:46 -0700
commita3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf (patch)
tree9539ab24679a257a5282d626350a1af01b9e2aa5 /lib-src/make-docfile.c
parent7cc329fd734992369efd17f6758a732bc5377908 (diff)
downloademacs-a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf.tar.gz
Fix buffer overflow in make-docfile
* lib-src/make-docfile.c (scan_c_stream): Check for buffer overflow when reading an identifier. Use a static buffer for NAME rather than a small dynamically-allocated buffer.
Diffstat (limited to 'lib-src/make-docfile.c')
-rw-r--r--lib-src/make-docfile.c16
1 files changed, 3 insertions, 13 deletions
diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c
index 53970a06238..9470bd635f5 100644
--- a/lib-src/make-docfile.c
+++ b/lib-src/make-docfile.c
@@ -845,8 +845,7 @@ scan_c_stream (FILE *infile)
bool defvarperbufferflag = false;
bool defvarflag = false;
enum global_type type = INVALID;
- static char *name;
- static ptrdiff_t name_size;
+ static char name[sizeof input_buffer];
if (c != '\n' && c != '\r')
{
@@ -967,22 +966,13 @@ scan_c_stream (FILE *infile)
if (c < 0)
goto eof;
input_buffer[i++] = c;
+ if (sizeof input_buffer <= i)
+ fatal ("identifier too long");
c = getc (infile);
}
while (! (c == ',' || c == ' ' || c == '\t'
|| c == '\n' || c == '\r'));
input_buffer[i] = '\0';
-
- if (name_size <= i)
- {
- free (name);
- name_size = i + 1;
- ptrdiff_t doubled;
- if (! INT_MULTIPLY_WRAPV (name_size, 2, &doubled)
- && doubled <= SIZE_MAX)
- name_size = doubled;
- name = xmalloc (name_size);
- }
memcpy (name, input_buffer, i + 1);
if (type == SYMBOL)
View Lorry Controller Status