This is a back port of the fixes for problem discovered in the 0.7 branch.
The 0.7 program fss_payload_read exposed this issue.
This issue affects multiple programs in the 0.6 branch.
The fss_payload_read such as the runtime test is wrong:
# fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss -t
The output is 1 but should instead be 4.
# fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss | wc -l
Investigating this problem revealed that the comment handling code is failing to perform a range check.
The overflow is causing the stop range to point to some random memory address which is almost always larger than the file.
This results in the count being wrong.
This bug is a security concern.
Add the range check in all places where this range check is missing for the comments.
}
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;
for (i = range.start; i <= range.stop; ++i) {
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;
for (i = range.start; i <= range.stop; ++i) {
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;
for (i = range.start; i <= range.stop; ++i) {
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;
}
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;
for (i = range.start; i <= range.stop; ++i) {
if (j < data->comments.used) {
- while (data->comments.array[j].stop < i) ++j;
+ while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
i = data->comments.array[j++].stop;