[Crosstoolchain-logs] [device-tree-compiler] 171/198: Fix some bugs in processing of line directives

Hector Oron zumbi at moszumanska.debian.org
Thu Dec 8 17:07:06 UTC 2016 

This is an automated email from the git hooks/post-receive script.

zumbi pushed a commit to branch upstream/1.4.x
in repository device-tree-compiler.

commit b43345039b03ac5691961e1ce37dfb8c4c03a863
Author: David Gibson <david at gibson.dropbear.id.au>
Date:   Mon Jan 4 22:56:39 2016 +1100

    Fix some bugs in processing of line directives
    
    In order to work with preprocessed dts files more easily, dts will parse
    line number information in the form emitted by cpp.
    
    Anton Blanchard (using a fuzzer) reported that including a line number
    directive with a nul character (a literal nul in the input file, not a \0
    sequence) would cause dtc to SEGV.  I spotted several more problems on
    examining the code:
        * It modified yytext in place which seems to work, but is ugly and I'm
          not sure if it's safe on all lex/flex versions
        * The regexp used in the lexer to recognize line number information
          accepts strings with escape characters, but it won't process these
          escapes.
            - GNU cpp at least, will generate \ escapes in line number
              information, at least with files containing " or \ in the name
    
    This patch reworks the handling of line number information to address
    these problems.  \ escapes should now be handled directly.  nuls in file
    names (either with a literal nul in the input file, or with a \0 escape
    sequence) are still not permitted, but will now result in a lexical error
    rather than a SEGV.
    
    Reported-by: Anton Blanchard <anton at samba.org>
    Signed-off-by: David Gibson <david at gibson.dropbear.id.au>
---
 dtc-lexer.l                 |  34 +++++++++++++++++++++-------------
 tests/line_directives.dts   |   5 +++++
 tests/nul-in-line-info1.dts | Bin 0 -> 8 bytes
 tests/nul-in-line-info2.dts |   1 +
 tests/run_tests.sh          |   2 ++
 5 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/dtc-lexer.l b/dtc-lexer.l
index 22dda7d..790fbf6 100644
--- a/dtc-lexer.l
+++ b/dtc-lexer.l
@@ -73,24 +73,32 @@ static void lexical_error(const char *fmt, ...);
 		}
 
 <*>^"#"(line)?[ \t]+[0-9]+[ \t]+{STRING}([ \t]+[0-9]+)? {
-			char *line, *tmp, *fn;
+			char *line, *fnstart, *fnend;
+			struct data fn;
 			/* skip text before line # */
 			line = yytext;
 			while (!isdigit((unsigned char)*line))
 				line++;
-			/* skip digits in line # */
-			tmp = line;
-			while (!isspace((unsigned char)*tmp))
-				tmp++;
-			/* "NULL"-terminate line # */
-			*tmp = '\0';
-			/* start of filename */
-			fn = strchr(tmp + 1, '"') + 1;
-			/* strip trailing " from filename */
-			tmp = strchr(fn, '"');
-			*tmp = 0;
+
+			/* regexp ensures that first and list "
+			 * in the whole yytext are those at
+			 * beginning and end of the filename string */
+			fnstart = memchr(yytext, '"', yyleng);
+			for (fnend = yytext + yyleng - 1;
+			     *fnend != '"'; fnend--)
+				;
+			assert(fnstart && fnend && (fnend > fnstart));
+
+			fn = data_copy_escape_string(fnstart + 1,
+						     fnend - fnstart - 1);
+
+			/* Don't allow nuls in filenames */
+			if (memchr(fn.val, '\0', fn.len - 1))
+				lexical_error("nul in line number directive");
+
 			/* -1 since #line is the number of the next line */
-			srcpos_set_line(xstrdup(fn), atoi(line) - 1);
+			srcpos_set_line(xstrdup(fn.val), atoi(line) - 1);
+			data_free(fn);
 		}
 
 <*><<EOF>>		{
diff --git a/tests/line_directives.dts b/tests/line_directives.dts
index 046ef37..67b5e08 100644
--- a/tests/line_directives.dts
+++ b/tests/line_directives.dts
@@ -18,4 +18,9 @@
 # 10 "qux.dts"
 		0x12345678
 	>;
+/*
+ * Check processing of escapes in filenames
+ */
+# 100 "\".dts"
+# 200 "\\.dts"
 };
diff --git a/tests/nul-in-line-info1.dts b/tests/nul-in-line-info1.dts
new file mode 100644
index 0000000..ceb7261
Binary files /dev/null and b/tests/nul-in-line-info1.dts differ
diff --git a/tests/nul-in-line-info2.dts b/tests/nul-in-line-info2.dts
new file mode 100644
index 0000000..1157d23
--- /dev/null
+++ b/tests/nul-in-line-info2.dts
@@ -0,0 +1 @@
+# 0 "\0"
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index b40ba9c..8863c9a 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -293,6 +293,8 @@ libfdt_tests () {
     run_wrap_error_test $DTC division-by-zero.dts
     run_wrap_error_test $DTC bad-octal-literal.dts
     run_dtc_test -I dts -O dtb nul-in-escape.dts
+    run_wrap_error_test $DTC nul-in-line-info1.dts
+    run_wrap_error_test $DTC nul-in-line-info2.dts
 }
 
 dtc_tests () {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/crosstoolchain/device-tree-compiler.git

More information about the Crosstoolchain-logs mailing list