From: "Joseph S. Myers" <joseph@codesourcery.com>
To: Ed Smith-Rowland <3dw4rd@verizon.net>
Cc: gcc-patches@gcc.gnu.org
Subject: Re: [C++0x] User-Defined Literals
Date: Tue, 12 Apr 2011 12:20:00 -0000 [thread overview]
Message-ID: <Pine.LNX.4.64.1104121211520.14228@digraph.polyomino.org.uk> (raw)
In-Reply-To: <4DA3B332.4090408@verizon.net>
On Mon, 11 Apr 2011, Ed Smith-Rowland wrote:
> + case CPP_CHAR_USERDEF:
> + case CPP_WCHAR_USERDEF:
> + case CPP_CHAR16_USERDEF:
> + case CPP_CHAR32_USERDEF:
> + {
> + tree literal;
> + cpp_token temp_tok = *tok;
> + char suffix[256] = "";
> + cpp_get_userdef_suffix (tok->val.str, '\'', suffix);
This fixed-length buffer appears to have a buffer overrun vulnerability;
you must avoid such overruns in the presence of suffixes of arbitrary
length (up to 2GB, anyway, so don't assume they are short enough to
allocate on the stack; once you get past values representable in "int"
there are lots of pre-existing problems including "int" being used for the
length of a STRING_CST) unless there is some other reason long suffixes
cannot occur.
> + case CPP_STRING_USERDEF:
> + case CPP_WSTRING_USERDEF:
> + case CPP_STRING16_USERDEF:
> + case CPP_STRING32_USERDEF:
> + case CPP_UTF8STRING_USERDEF:
> + {
> + tree literal;
> + char suffix[256] = "";
> + cpp_get_userdef_suffix (tok->val.str, '"', suffix);
Likewise.
> + copylen -= strlen(suffix);
Missing space before '('. There are lots of other spacing problems in
this patch - spaces missing before '(', or in casts, or spaces present
where they shouldn't be.
> + char suffix[256] = "", curr_suffix[256] = "";
More fixed-size buffers that need fixing.
> + /* If the numeric argument didn't work, look for a raw literal
> + operator taking a const char* argument consisting of the number
> + in string format. */
> + char str[256] = "";
And yet more.
> +/* Return an identifier node for a user-defined literal operator.
> + The suffix identifier is chained to the operator name identifier. */
> +
> +static tree
> +cp_literal_operator_id (const char* name)
> +{
> + tree identifier;
> + char buffer[256];
And more.
> +static void
> +write_literal_operator_name (tree identifier)
> +{
> + tree suffix_id;
> + char buffer[256];
And more.
> + if (type == CPP_STRING_USERDEF )
And here you have lots of cases of excess space before ')'.
--
Joseph S. Myers
joseph@codesourcery.com
prev parent reply other threads:[~2011-04-12 12:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-12 2:06 Ed Smith-Rowland
2011-04-12 12:20 ` Joseph S. Myers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.1104121211520.14228@digraph.polyomino.org.uk \
--to=joseph@codesourcery.com \
--cc=3dw4rd@verizon.net \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).