Branch: Tag:

2008-02-06

2008-02-06 19:17:14 by Martin Stjernholm <mast@lysator.liu.se>

Fixed some cases where invalid string lengths in encoded data could slip by
the range checks and cause segfaults instead of pike errors. Also improved
the error messages a bit for those cases.

Rev: src/encode.c:1.190

2:   || This file is part of Pike. For copyright information see COPYRIGHT.   || Pike is distributed under GPL, LGPL and MPL. See the file COPYING   || for more information. - || $Id: encode.c,v 1.189 2005/05/31 15:33:38 mast Exp $ + || $Id: encode.c,v 1.190 2008/02/06 19:17:14 mast Exp $   */      #include "global.h"
32:   #include "opcodes.h"   #include "peep.h"    - RCSID("$Id: encode.c,v 1.189 2005/05/31 15:33:38 mast Exp $"); + RCSID("$Id: encode.c,v 1.190 2008/02/06 19:17:14 mast Exp $");      /* #define ENCODE_DEBUG */   
1907:    if((LEN) == -1) \    { \    INT32 what, e, num, numh; \ +  ptrdiff_t sz; \    DECODE("get_string_data"); \    what &= TAG_MASK; \ -  if(data->ptr + num > data->len || num <0) \ -  Pike_error("Failed to decode string. (string range error)\n"); \ +     if(what<0 || what>2) \ -  Pike_error("Failed to decode string. (Illegal size shift)\n"); \ -  STR=begin_wide_shared_string(num, what); \ -  MEMCPY(STR->str, data->data + data->ptr, num << what); \ -  data->ptr+=(num << what); \ +  Pike_error ("Failed to decode string: Illegal size shift %d.\n", \ +  what); \ +  sz = (ptrdiff_t) num << what; \ +  if (sz < 0) \ +  Pike_error ("Failed to decode string: Illegal negative size " \ +  "%"PRINTPTRDIFFT"d.\n", sz); \ +  if (sz > data->len - data->ptr) \ +  Pike_error ("Failed to decode string: Too large size %"PRINTPTRDIFFT"d " \ +  "(max is %"PRINTPTRDIFFT"d).\n", \ +  sz, data->len - data->ptr); \ +  STR=begin_wide_shared_string(num, what); \ +  MEMCPY(STR->str, data->data + data->ptr, sz); \ +  data->ptr += sz; \    BITFLIP(STR); \    STR=end_shared_string(STR); \    }else{ \ -  if(data->ptr + (LEN) > data->len || (LEN) <0) \ -  Pike_error("Failed to decode string. (string range error)\n"); \ -  STR=make_shared_binary_string((char *)(data->data + data->ptr), (LEN)); \ -  data->ptr+=(LEN); \ +  ptrdiff_t sz = (LEN); \ +  if (sz < 0) \ +  Pike_error ("Failed to decode string: Illegal negative size " \ +  "%"PRINTPTRDIFFT"d.\n", sz); \ +  if (sz > data->len - data->ptr) \ +  Pike_error ("Failed to decode string: Too large size %"PRINTPTRDIFFT"d " \ +  "(max is %"PRINTPTRDIFFT"d).\n", \ +  sz, data->len - data->ptr); \ +  STR=make_shared_binary_string((char *)(data->data + data->ptr), sz); \ +  data->ptr += sz; \    } \   }while(0)