mirror/CMake
1
0
Fork 0
mirror of https://github.com/Kitware/CMake.git synced 2026-01-11 08:20:18 -06:00
Code Issues Packages Projects Releases Wiki Activity

ListFileLexer: fix heap-buffer-overflow on malicious input

Browse Source 
In case a list file contains a null terminated string that is continued
until a later space, the lexer token information got inconsistent:

e.g. an argument   "TEST\0FOOBAR"    is passed by the lexer as a token

char* = "TEST\0FOOBAR" and length 11
             ^^ note: ascii 0x00

Using strdup in cmListFileLexer leads lexer->token.text to be allocated
with size 5 and lexer->token.length to be set to 11

A subsequent call to this function with an argument of  5 < length <= 11
wrongly assumed a sufficiently sized buffer and therefore corrupted the
heap buffer. The program might crash due to this corruption.
The case "NullTerminatedArgument" is intentionally using a quite large
'rest' to increase the chance to actually hit the issue. It will reliably
crash with address sanitizer enabled though.

This fix addresses all rules where arbitrary characters are matched to
ignore \0 in order to fall through to the rule that matches an arbitrary
character as BadCharacter.

Signed-off-by: Matthias Maennich <matthias@maennich.net>
This commit is contained in:
Matthias Maennich
2017-08-26 20:05:07 +02:00
committed by Brad King
parent f4aa346538
commit 14d9a11be9
6 changed files with 119 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

198
Source/LexerParser/cmListFileLexer.c
View File

@@ -576,16 +576,16 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
static const flex_int16_t yy_accept[77] =
static const flex_int16_t yy_accept[81] =
{ 0,
0, 0, 0, 0, 0, 0, 0, 0, 4, 4,
25, 13, 22, 1, 16, 3, 13, 5, 6, 7,
15, 23, 17, 19, 20, 21, 10, 11, 8, 12,
9, 4, 13, 0, 13, 0, 22, 0, 0, 7,
13, 0, 13, 0, 2, 0, 13, 17, 0, 18,
10, 8, 4, 0, 14, 0, 0, 0, 0, 14,
0, 0, 14, 0, 0, 0, 2, 14, 0, 0,
0, 0, 0, 0, 0, 0
15, 23, 23, 17, 19, 20, 21, 17, 10, 11,
8, 10, 12, 9, 24, 4, 13, 0, 13, 0,
22, 0, 0, 7, 13, 0, 13, 0, 2, 0,
13, 17, 0, 18, 10, 8, 4, 0, 14, 0,
0, 0, 0, 14, 0, 0, 14, 0, 0, 0,
2, 14, 0, 0, 0, 0, 0, 0, 0, 0
} ;
static const YY_CHAR yy_ec[256] =
@@ -620,104 +620,122 @@ static const YY_CHAR yy_ec[256] =
1, 1, 1, 1, 1
} ;
static const YY_CHAR yy_meta[16] =
static const YY_CHAR yy_meta[17] =
{ 0,
1, 1, 2, 3, 4, 3, 1, 3, 5, 6,
1, 6, 1, 1, 7
1, 6, 1, 1, 7, 8
} ;
static const flex_int16_t yy_base[95] =
static const flex_int16_t yy_base[99] =
{ 0,
0, 0, 13, 25, 14, 16, 17, 18, 90, 88,
88, 39, 20, 237, 237, 74, 78, 237, 237, 13,
54, 0, 71, 237, 237, 31, 0, 237, 73, 237,
237, 0, 0, 65, 75, 0, 33, 30, 72, 0,
0, 75, 70, 0, 74, 0, 0, 62, 70, 237,
0, 63, 0, 85, 99, 65, 111, 62, 34, 0,
54, 116, 0, 54, 127, 51, 237, 50, 0, 48,
47, 39, 33, 29, 17, 237, 136, 143, 150, 157,
164, 171, 178, 184, 191, 198, 201, 207, 214, 217,
219, 225, 228, 230
0, 0, 14, 28, 42, 56, 70, 84, 18, 19,
69, 100, 16, 323, 323, 55, 59, 323, 323, 13,
115, 0, 323, 52, 323, 323, 21, 51, 0, 323,
53, 0, 323, 323, 323, 0, 0, 126, 55, 0,
25, 25, 53, 0, 0, 136, 53, 0, 57, 0,
0, 42, 50, 323, 0, 43, 0, 146, 160, 45,
172, 43, 26, 0, 42, 184, 0, 42, 195, 40,
323, 40, 0, 38, 37, 34, 32, 31, 23, 323,
211, 219, 227, 235, 243, 251, 259, 267, 274, 281,
285, 291, 298, 302, 304, 310, 314, 316
} ;
static const flex_int16_t yy_def[95] =
static const flex_int16_t yy_def[99] =
{ 0,
76, 1, 77, 77, 78, 78, 79, 79, 80, 80,
76, 76, 76, 76, 76, 76, 12, 76, 76, 12,
76, 81, 82, 76, 76, 82, 83, 76, 76, 76,
76, 84, 12, 85, 12, 86, 76, 76, 87, 20,
12, 88, 12, 21, 76, 89, 12, 82, 82, 76,
83, 76, 84, 85, 76, 54, 85, 90, 76, 55,
87, 88, 55, 62, 88, 91, 76, 55, 92, 93,
90, 94, 91, 93, 94, 0, 76, 76, 76, 76,
76, 76, 76, 76, 76, 76, 76, 76, 76, 76,
76, 76, 76, 76
80, 1, 81, 81, 82, 82, 83, 83, 84, 84,
80, 80, 80, 80, 80, 80, 12, 80, 80, 12,
80, 85, 80, 86, 80, 80, 86, 86, 87, 80,
80, 87, 80, 80, 80, 88, 12, 89, 12, 90,
80, 80, 91, 20, 12, 92, 12, 21, 80, 93,
12, 86, 86, 80, 87, 80, 88, 89, 80, 58,
89, 94, 80, 59, 91, 92, 59, 66, 92, 95,
80, 59, 96, 97, 94, 98, 95, 97, 98, 0,
80, 80, 80, 80, 80, 80, 80, 80, 80, 80,
80, 80, 80, 80, 80, 80, 80, 80
} ;
static const flex_int16_t yy_nxt[253] =
static const flex_int16_t yy_nxt[340] =
{ 0,
12, 13, 14, 13, 15, 16, 17, 18, 19, 12,
12, 20, 21, 22, 12, 24, 28, 25, 28, 28,
28, 37, 40, 37, 40, 62, 26, 24, 29, 25,
29, 31, 31, 50, 37, 48, 37, 54, 26, 33,
59, 63, 45, 34, 59, 35, 45, 62, 33, 33,
33, 33, 36, 33, 41, 55, 54, 58, 42, 63,
43, 72, 60, 41, 44, 41, 45, 46, 41, 55,
55, 56, 70, 52, 48, 49, 67, 66, 57, 63,
60, 64, 58, 52, 49, 39, 38, 76, 65, 55,
14, 56, 14, 76, 76, 76, 76, 76, 57, 55,
12, 20, 21, 22, 12, 23, 25, 41, 26, 41,
14, 14, 44, 54, 44, 52, 41, 27, 41, 28,
25, 66, 26, 35, 35, 63, 63, 49, 49, 58,
67, 27, 66, 28, 30, 59, 58, 62, 67, 76,
64, 59, 74, 56, 52, 53, 31, 32, 30, 71,
70, 64, 62, 56, 53, 53, 43, 42, 80, 80,
31, 32, 30, 80, 80, 80, 80, 80, 80, 80,
80, 80, 80, 80, 34, 35, 30, 80, 80, 80,
80, 80, 80, 80, 80, 80, 80, 80, 34, 35,
76, 76, 76, 34, 76, 68, 76, 76, 55, 55,
55, 55, 69, 55, 54, 76, 54, 76, 54, 54,
63, 76, 64, 76, 76, 76, 76, 76, 76, 65,
62, 76, 62, 76, 62, 62, 23, 23, 23, 23,
23, 23, 23, 27, 27, 27, 27, 27, 27, 27,
30, 30, 30, 30, 30, 30, 30, 32, 32, 32,
32, 32, 32, 32, 47, 76, 47, 47, 47, 47,
47, 48, 76, 48, 76, 48, 48, 48, 51, 76,
51, 51, 51, 51, 53, 76, 53, 53, 53, 53,
53, 54, 76, 76, 54, 76, 54, 54, 33, 76,
37, 80, 80, 80, 38, 80, 39, 80, 80, 37,
37, 37, 37, 40, 37, 45, 80, 80, 80, 46,
80, 47, 80, 80, 45, 48, 45, 49, 50, 45,
59, 80, 60, 80, 80, 80, 80, 80, 80, 61,
67, 80, 68, 80, 80, 80, 80, 80, 80, 69,
59, 80, 60, 80, 80, 80, 80, 80, 80, 61,
59, 80, 80, 80, 38, 80, 72, 80, 80, 59,
59, 59, 59, 73, 59, 58, 80, 58, 80, 58,
58, 80, 80, 80, 80, 80, 80, 58, 67, 80,
68, 80, 80, 80, 80, 80, 80, 69, 66, 80,
33, 33, 33, 33, 33, 61, 61, 62, 76, 76,
62, 76, 62, 62, 41, 76, 41, 41, 41, 41,
41, 71, 71, 73, 73, 55, 76, 55, 55, 55,
55, 55, 74, 74, 75, 75, 11, 76, 76, 76,
76, 76, 76, 76, 76, 76, 76, 76, 76, 76,
76, 76
66, 80, 66, 66, 80, 80, 80, 80, 80, 80,
66, 24, 24, 24, 24, 24, 24, 24, 24, 29,
29, 29, 29, 29, 29, 29, 29, 33, 33, 33,
33, 33, 33, 33, 33, 36, 36, 36, 36, 36,
36, 36, 36, 51, 80, 51, 51, 51, 51, 51,
51, 52, 80, 52, 80, 52, 52, 52, 52, 55,
80, 55, 55, 55, 55, 80, 55, 57, 80, 57,
57, 57, 57, 57, 58, 80, 80, 58, 80, 58,
58, 37, 80, 37, 37, 37, 37, 37, 37, 65,
65, 66, 80, 80, 66, 80, 66, 66, 45, 80,
45, 45, 45, 45, 45, 45, 75, 75, 77, 77,
59, 80, 59, 59, 59, 59, 59, 59, 78, 78,
79, 79, 11, 80, 80, 80, 80, 80, 80, 80,
80, 80, 80, 80, 80, 80, 80, 80, 80
} ;
static const flex_int16_t yy_chk[253] =
static const flex_int16_t yy_chk[340] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 3, 5, 3, 6, 7,
8, 13, 20, 13, 20, 75, 3, 4, 5, 4,
6, 7, 8, 26, 37, 26, 37, 74, 4, 12,
38, 73, 38, 12, 59, 12, 59, 72, 12, 12,
12, 12, 12, 12, 21, 71, 70, 68, 21, 66,
21, 64, 61, 21, 21, 21, 21, 21, 21, 34,
58, 34, 56, 52, 49, 48, 45, 43, 34, 42,
39, 42, 35, 29, 23, 17, 16, 11, 42, 54,
10, 54, 9, 0, 0, 0, 0, 0, 54, 55,
1, 1, 1, 1, 1, 1, 3, 13, 3, 13,
9, 10, 20, 27, 20, 27, 41, 3, 41, 3,
4, 79, 4, 9, 10, 42, 63, 42, 63, 78,
77, 4, 76, 4, 5, 75, 74, 72, 70, 68,
65, 62, 60, 56, 53, 52, 5, 5, 6, 49,
47, 43, 39, 31, 28, 24, 17, 16, 11, 0,
6, 6, 7, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 7, 7, 8, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 8, 8,
0, 0, 0, 55, 0, 55, 0, 0, 55, 55,
55, 55, 55, 55, 57, 0, 57, 0, 57, 57,
62, 0, 62, 0, 0, 0, 0, 0, 0, 62,
65, 0, 65, 0, 65, 65, 77, 77, 77, 77,
77, 77, 77, 78, 78, 78, 78, 78, 78, 78,
79, 79, 79, 79, 79, 79, 79, 80, 80, 80,
80, 80, 80, 80, 81, 0, 81, 81, 81, 81,
81, 82, 0, 82, 0, 82, 82, 82, 83, 0,
83, 83, 83, 83, 84, 0, 84, 84, 84, 84,
84, 85, 0, 0, 85, 0, 85, 85, 86, 0,
12, 0, 0, 0, 12, 0, 12, 0, 0, 12,
12, 12, 12, 12, 12, 21, 0, 0, 0, 21,
0, 21, 0, 0, 21, 21, 21, 21, 21, 21,
38, 0, 38, 0, 0, 0, 0, 0, 0, 38,
46, 0, 46, 0, 0, 0, 0, 0, 0, 46,
58, 0, 58, 0, 0, 0, 0, 0, 0, 58,
59, 0, 0, 0, 59, 0, 59, 0, 0, 59,
59, 59, 59, 59, 59, 61, 0, 61, 0, 61,
61, 0, 0, 0, 0, 0, 0, 61, 66, 0,
66, 0, 0, 0, 0, 0, 0, 66, 69, 0,
86, 86, 86, 86, 86, 87, 87, 88, 0, 0,
88, 0, 88, 88, 89, 0, 89, 89, 89, 89,
89, 90, 90, 91, 91, 92, 0, 92, 92, 92,
92, 92, 93, 93, 94, 94, 76, 76, 76, 76,
76, 76, 76, 76, 76, 76, 76, 76, 76, 76,
76, 76
69, 0, 69, 69, 0, 0, 0, 0, 0, 0,
69, 81, 81, 81, 81, 81, 81, 81, 81, 82,
82, 82, 82, 82, 82, 82, 82, 83, 83, 83,
83, 83, 83, 83, 83, 84, 84, 84, 84, 84,
84, 84, 84, 85, 0, 85, 85, 85, 85, 85,
85, 86, 0, 86, 0, 86, 86, 86, 86, 87,
0, 87, 87, 87, 87, 0, 87, 88, 0, 88,
88, 88, 88, 88, 89, 0, 0, 89, 0, 89,
89, 90, 0, 90, 90, 90, 90, 90, 90, 91,
91, 92, 0, 0, 92, 0, 92, 92, 93, 0,
93, 93, 93, 93, 93, 93, 94, 94, 95, 95,
96, 0, 96, 96, 96, 96, 96, 96, 97, 97,
98, 98, 80, 80, 80, 80, 80, 80, 80, 80,
80, 80, 80, 80, 80, 80, 80, 80, 80
} ;
/* Table of booleans, true if rule could match eol. */
@@ -1075,13 +1093,13 @@ yy_match:
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 77 )
if ( yy_current_state >= 81 )
yy_c = yy_meta[yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
++yy_cp;
}
while ( yy_base[yy_current_state] != 237 );
while ( yy_base[yy_current_state] != 323 );
yy_find_action:
yy_act = yy_accept[yy_current_state];
@@ -1647,7 +1665,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
for ( yy_cp = yyg->yytext_ptr + YY_MORE_ADJ; yy_cp < yyg->yy_c_buf_p; ++yy_cp )
{
YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 16);
if ( yy_accept[yy_current_state] )
{
yyg->yy_last_accepting_state = yy_current_state;
@@ -1656,7 +1674,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 77 )
if ( yy_current_state >= 81 )
yy_c = yy_meta[yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
@@ -1676,7 +1694,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* This var may be unused depending upon options. */
char *yy_cp = yyg->yy_c_buf_p;
YY_CHAR yy_c = 1;
YY_CHAR yy_c = 16;
if ( yy_accept[yy_current_state] )
{
yyg->yy_last_accepting_state = yy_current_state;
@@ -1685,11 +1703,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
if ( yy_current_state >= 77 )
if ( yy_current_state >= 81 )
yy_c = yy_meta[yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
yy_is_jam = (yy_current_state == 76);
yy_is_jam = (yy_current_state == 80);
(void)yyg;
return yy_is_jam ? 0 : yy_current_state;

8
Source/LexerParser/cmListFileLexer.in.l
View File

@@ -74,7 +74,7 @@ static void cmListFileLexerDestroy(cmListFileLexer* lexer);
%x COMMENT
MAKEVAR \$\([A-Za-z0-9_]*\)
UNQUOTED ([^ \t\r\n\(\)#\\\"[=]|\\.)
UNQUOTED ([^ \0\t\r\n\(\)#\\\"[=]|\\.)
LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\"
%%
@@ -113,7 +113,7 @@ LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\"
BEGIN(COMMENT);
}
<COMMENT>.* {
<COMMENT>[^\0\n]* {
lexer->column += yyleng;
}
@@ -168,7 +168,7 @@ LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\"
BEGIN(BRACKET);
}
<BRACKET,BRACKETEND>. {
<BRACKET,BRACKETEND>[^\0\n] {
cmListFileLexerAppend(lexer, yytext, yyleng);
lexer->column += yyleng;
BEGIN(BRACKET);
@@ -231,7 +231,7 @@ LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\"
return 1;
}
<STRING>. {
<STRING>[^\0\n] {
cmListFileLexerAppend(lexer, yytext, yyleng);
lexer->column += yyleng;
}

1
Tests/RunCMake/Syntax/NullTerminatedArgument-result.txt Normal file
View File

@@ -0,0 +1 @@
1

5
Tests/RunCMake/Syntax/NullTerminatedArgument-stderr.txt Normal file
View File

@@ -0,0 +1,5 @@
CMake Error at NullTerminatedArgument.cmake:1:
Parse error. Function missing ending "\)". Instead found bad character
with text "".
Call Stack \(most recent call first\):
CMakeLists.txt:3 \(include\)

BIN
Tests/RunCMake/Syntax/NullTerminatedArgument.cmake Normal file
View File

Binary file not shown.

1
Tests/RunCMake/Syntax/RunCMakeTest.cmake
View File

@@ -55,6 +55,7 @@ run_cmake(BracketNoSpace5)
run_cmake(Escape1)
run_cmake(Escape2)
run_cmake(EscapeCharsAllowed)
run_cmake(NullTerminatedArgument)
include("${RunCMake_SOURCE_DIR}/EscapeCharsDisallowed.cmake")
run_cmake(ParenNoSpace0)
run_cmake(ParenNoSpace1)