From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23308 invoked by alias); 12 Apr 2011 12:20:07 -0000 Received: (qmail 23295 invoked by uid 22791); 12 Apr 2011 12:20:05 -0000 X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mail.codesourcery.com (HELO mail.codesourcery.com) (38.113.113.100) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Tue, 12 Apr 2011 12:20:01 +0000 Received: (qmail 21419 invoked from network); 12 Apr 2011 12:20:00 -0000 Received: from unknown (HELO digraph.polyomino.org.uk) (joseph@127.0.0.2) by mail.codesourcery.com with ESMTPA; 12 Apr 2011 12:20:00 -0000 Received: from jsm28 (helo=localhost) by digraph.polyomino.org.uk with local-esmtp (Exim 4.72) (envelope-from ) id 1Q9cZa-0003nc-M1; Tue, 12 Apr 2011 12:19:58 +0000 Date: Tue, 12 Apr 2011 12:20:00 -0000 From: "Joseph S. Myers" To: Ed Smith-Rowland <3dw4rd@verizon.net> cc: gcc-patches@gcc.gnu.org Subject: Re: [C++0x] User-Defined Literals In-Reply-To: <4DA3B332.4090408@verizon.net> Message-ID: References: <4DA3B332.4090408@verizon.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org X-SW-Source: 2011-04/txt/msg00862.txt.bz2 On Mon, 11 Apr 2011, Ed Smith-Rowland wrote: > + case CPP_CHAR_USERDEF: > + case CPP_WCHAR_USERDEF: > + case CPP_CHAR16_USERDEF: > + case CPP_CHAR32_USERDEF: > + { > + tree literal; > + cpp_token temp_tok = *tok; > + char suffix[256] = ""; > + cpp_get_userdef_suffix (tok->val.str, '\'', suffix); This fixed-length buffer appears to have a buffer overrun vulnerability; you must avoid such overruns in the presence of suffixes of arbitrary length (up to 2GB, anyway, so don't assume they are short enough to allocate on the stack; once you get past values representable in "int" there are lots of pre-existing problems including "int" being used for the length of a STRING_CST) unless there is some other reason long suffixes cannot occur. > + case CPP_STRING_USERDEF: > + case CPP_WSTRING_USERDEF: > + case CPP_STRING16_USERDEF: > + case CPP_STRING32_USERDEF: > + case CPP_UTF8STRING_USERDEF: > + { > + tree literal; > + char suffix[256] = ""; > + cpp_get_userdef_suffix (tok->val.str, '"', suffix); Likewise. > + copylen -= strlen(suffix); Missing space before '('. There are lots of other spacing problems in this patch - spaces missing before '(', or in casts, or spaces present where they shouldn't be. > + char suffix[256] = "", curr_suffix[256] = ""; More fixed-size buffers that need fixing. > + /* If the numeric argument didn't work, look for a raw literal > + operator taking a const char* argument consisting of the number > + in string format. */ > + char str[256] = ""; And yet more. > +/* Return an identifier node for a user-defined literal operator. > + The suffix identifier is chained to the operator name identifier. */ > + > +static tree > +cp_literal_operator_id (const char* name) > +{ > + tree identifier; > + char buffer[256]; And more. > +static void > +write_literal_operator_name (tree identifier) > +{ > + tree suffix_id; > + char buffer[256]; And more. > + if (type == CPP_STRING_USERDEF ) And here you have lots of cases of excess space before ')'. -- Joseph S. Myers joseph@codesourcery.com