Fix for buffer overflow on long ASL string literals. BZ 436

2025-02-25 09:54:42 +03:00 · 2006-06-28 16:14:37 +00:00 · 2006-06-28 16:14:37 +00:00 · 4a5255916e
commit 4a5255916e
parent 01eddd379a
3 changed files with 41 additions and 14 deletions
--- a/source/compiler/aslcompiler.l
+++ b/source/compiler/aslcompiler.l
@ -3,7 +3,7 @@
 /******************************************************************************
 *
 * Module Name: aslcompiler.l - Flex input file
- *              $Revision: 1.77 $
+ *              $Revision: 1.78 $
 *
 *****************************************************************************/

@ -926,7 +926,8 @@ comment2 (void)
 char
 literal (void)
 {
-    char                *s = MsgBuffer;
+    char                *StringBuffer = MsgBuffer;
+    char                *EndBuffer = MsgBuffer + ASL_MSG_BUFFER_SIZE;
    char                *CleanString;
    char                StringChar;
    UINT32              State = ASL_NORMAL_CHAR;
@ -1061,8 +1062,12 @@ DoCharacter:
                }
                else
                {
-                    *s = (char) Digit;
-                    s++;
+                    *StringBuffer = (char) Digit;
+                    StringBuffer++;
+                    if (StringBuffer >= EndBuffer)
+                    {
+                        goto BufferOverflow;
+                    }
                }

                State = ASL_NORMAL_CHAR;
@ -1102,8 +1107,12 @@ DoCharacter:
                }
                else
                {
-                    *s = (char) Digit;
-                    s++;
+                    *StringBuffer = (char) Digit;
+                    StringBuffer++;
+                    if (StringBuffer >= EndBuffer)
+                    {
+                        goto BufferOverflow;
+                    }
                }

                State = ASL_NORMAL_CHAR;
@ -1120,8 +1129,12 @@ DoCharacter:

        /* Save the finished character */

-        *s = StringChar;
-        s++;
+        *StringBuffer = StringChar;
+        StringBuffer++;
+        if (StringBuffer >= EndBuffer)
+        {
+            goto BufferOverflow;
+        }
    }

    /*
@ -1138,7 +1151,7 @@ CompletedString:
    /*
     * Null terminate the input string and copy string to a new buffer
     */
-    *s = 0;
+    *StringBuffer = 0;

    CleanString = UtGetStringBuffer (strlen (MsgBuffer) + 1);
    if (!CleanString)
@ -1153,6 +1166,17 @@ CompletedString:
    ACPI_STRCPY (CleanString, MsgBuffer);
    AslCompilerlval.s = CleanString;
    return (TRUE);
+
+
+BufferOverflow:
+
+    /* Literal was too long */
+
+    AslCommonError (ASL_ERROR, ASL_MSG_STRING_LENGTH,
+                    Gbl_CurrentLineNumber, Gbl_LogicalLineNumber,
+                    Gbl_CurrentLineOffset, Gbl_CurrentColumn,
+                    Gbl_Files[ASL_FILE_INPUT].Filename, "Max length 4096");
+    return (FALSE);
 }


--- a/source/compiler/aslglobal.h
+++ b/source/compiler/aslglobal.h
@ -3,7 +3,7 @@
 /******************************************************************************
 *
 * Module Name: aslglobal.h - Global variable definitions
- *              $Revision: 1.54 $
+ *              $Revision: 1.55 $
 *
 *****************************************************************************/

@ -147,7 +147,7 @@ extern char                         *AslCompilertext;
 extern char                         hex[];

 #define ASL_LINE_BUFFER_SIZE        512
-#define ASL_MSG_BUFFER_SIZE         (ASL_LINE_BUFFER_SIZE * 2)
+#define ASL_MSG_BUFFER_SIZE         4096
 #define HEX_TABLE_LINE_SIZE         8
 #define HEX_LISTING_LINE_SIZE       16

@ -206,6 +206,7 @@ ASL_EXTERN BOOLEAN                  ASL_INIT_GLOBAL (Gbl_HexOutputFlag, HEX_OUTP
 ASL_EXTERN ASL_FILE_INFO            Gbl_Files [ASL_NUM_FILES];

 ASL_EXTERN char                     *Gbl_DirectoryPath;
+ASL_EXTERN char                     ASL_INIT_GLOBAL (*Gbl_ExternalFilename, NULL);
 ASL_EXTERN char                     ASL_INIT_GLOBAL (*Gbl_IncludeFilename, NULL);
 ASL_EXTERN char                     ASL_INIT_GLOBAL (*Gbl_OutputFilenamePrefix, NULL);
 ASL_EXTERN char                     *Gbl_CurrentInputFilename;
--- a/source/compiler/asltypes.h
+++ b/source/compiler/asltypes.h
@ -2,7 +2,7 @@
 /******************************************************************************
 *
 * Module Name: asltypes.h - compiler data types and struct definitions
- *              $Revision: 1.87 $
+ *              $Revision: 1.88 $
 *
 *****************************************************************************/

@ -421,7 +421,8 @@ typedef enum
    ASL_MSG_TIMEOUT,
    ASL_MSG_RESULT_NOT_USED,
    ASL_MSG_NOT_REFERENCED,
-    ASL_MSG_NON_ZERO
+    ASL_MSG_NON_ZERO,
+    ASL_MSG_STRING_LENGTH

 } ASL_MESSAGE_IDS;

@ -534,7 +535,8 @@ char                        *AslMessages [] = {
 /*    ASL_MSG_TIMEOUT */                    "Possible operator timeout is ignored",
 /*    ASL_MSG_RESULT_NOT_USED */            "Result is not used, operator has no effect",
 /*    ASL_MSG_NOT_REFERENCED */             "Namespace object is not referenced",
-/*    ASL_MSG_NON_ZERO */                   "Operand evaluates to zero"
+/*    ASL_MSG_NON_ZERO */                   "Operand evaluates to zero",
+/*    ASL_MSG_STRING_LENGTH */              "String literal too long"

 };