shithub: rgbds

Download patch

ref: 1decf5d0d45e8ec6a8a0fc0d4ba640dcc1f2fb13
parent: 54e5bf0f0c60b7ccc80215bfe10571267474e7f8
author: dbrotz <[email protected]>
date: Sun Jun 16 11:50:56 EDT 2019

Fix out of bounds array access in lexer
If the type char is signed, then in the function
yylex_GetFloatMaskAndFloatLen(), *s can have a negative value and be converted
to a negative int32_t which is then used as an array index. It should be
converted to uint8_t instead to ensure that the value is in the bounds of the
tFloatingFirstChar, tFloatingSecondChar, and tFloatingChars arrays.

--- a/src/asm/lexer.c
+++ b/src/asm/lexer.c
@@ -471,17 +471,17 @@
 
 	char *s = pLexBuffer;
 	uint32_t nOldFloatMask = 0;
-	uint32_t nFloatMask = tFloatingFirstChar[(int32_t)*s];
+	uint32_t nFloatMask = tFloatingFirstChar[(uint8_t)*s];
 
 	if (nFloatMask != 0) {
 		s++;
 		nOldFloatMask = nFloatMask;
-		nFloatMask &= tFloatingSecondChar[(int32_t)*s];
+		nFloatMask &= tFloatingSecondChar[(uint8_t)*s];
 
 		while (nFloatMask != 0) {
 			s++;
 			nOldFloatMask = nFloatMask;
-			nFloatMask &= tFloatingChars[(int32_t)*s];
+			nFloatMask &= tFloatingChars[(uint8_t)*s];
 		}
 	}
 
--- /dev/null
+++ b/test/asm/garbage_char.asm
@@ -1,0 +1,1 @@
+x
\ No newline at end of file
--- /dev/null
+++ b/test/asm/garbage_char.out
@@ -1,0 +1,3 @@
+ERROR: garbage_char.asm(1):
+    syntax error
+error: Assembly aborted (1 errors)!
--- /dev/null
+++ b/test/asm/garbage_char.out.pipe
@@ -1,0 +1,3 @@
+ERROR: -(1):
+    syntax error
+error: Assembly aborted (1 errors)!