Security: Invalid read or write while expanding operations.

The logic here is non-standard.
The normal logic operates on a pre-allocated basis.
That is, right before accessing the data perform the pre-allocation.

This code operates on the expectation that new variables are only added when conditionally required.
This results in a post-allocation basis where once a variable is known to expand then increment the used variable for the next pass.
The allocation checks need to happen after the increment on used.

There are some cases where this post-allocation is not happening.
This is probably a regression in the very recent bug fixes regarding expanding operations.

Be sure to ensure a clean state after the post-allocation process.

diff --git a/level_3/fake/c/main/make/operate.c b/level_3/fake/c/main/make/operate.c
index 340deb27b4fecdc052a12424e46d791145936de1..e0ea57ef7a25db00ffac88a97464b6493baa8bcf 100644 (file)
--- a/level_3/fake/c/main/make/operate.c
+++ b/level_3/fake/c/main/make/operate.c
@@ -381,6 +381,16 @@ extern "C" {
       &data_make->parameter_value.work,
     };
 
+    *status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
+
+    if (F_status_is_error(*status)) {
+      fake_print_error(data_make->setting, *status, data_make->main->error, macro_fake_f(f_string_dynamics_increase));
+
+      return;
+    }
+
+    data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
+
     for (; i < content.used; ++i) {
 
       iki_data->variable.used = 0;
@@ -400,6 +410,8 @@ extern "C" {
 
             break;
           }
+
+          data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
         }
 
         continue;
@@ -637,6 +649,8 @@ extern "C" {
 
                         break;
                       }
+
+                      data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
                     }
 
                     *status = f_string_dynamic_append_nulless(reserved_value[k]->array[l], &data_make->cache_arguments.array[data_make->cache_arguments.used]);
@@ -716,6 +730,8 @@ extern "C" {
 
                           break;
                         }
+
+                        data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
                       }
                     }
 
@@ -821,6 +837,8 @@ extern "C" {
 
             break;
           }
+
+          data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
         }
       }
       else {
@@ -841,6 +859,8 @@ extern "C" {
 
           break;
         }
+
+        data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
       }
     } // for
   }
@@ -1119,19 +1139,12 @@ extern "C" {
     if (F_status_is_error(status)) return status;
     if (unmatched) return F_false;
 
-    if (quote) {
-      status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-    }
-    else {
-      status = f_string_dynamics_increase_by(fake_default_allocation_small_d, &data_make->cache_arguments);
+    status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
 
-      if (F_status_is_error_not(status)) {
-        status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
+    if (F_status_is_error_not(status) && !quote) {
+      ++data_make->cache_arguments.used;
 
-        if (F_status_is_error_not(status)) {
-          ++data_make->cache_arguments.used;
-        }
-      }
+      status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
     }
 
     if (F_status_is_error(status)) return status;
@@ -1181,17 +1194,7 @@ extern "C" {
     } // for
 
     if (context) {
-      if (quote) {
-        status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-      }
-      else {
-        status = f_string_dynamics_increase_by(fake_default_allocation_small_d, &data_make->cache_arguments);
-
-        if (F_status_is_error_not(status)) {
-          status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-        }
-      }
-
+      status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
       if (F_status_is_error(status)) return status;
     }
 
@@ -1234,6 +1237,9 @@ extern "C" {
 
     if (!quote) {
       ++data_make->cache_arguments.used;
+
+      status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
+      if (F_status_is_error(status)) return status;
     }
 
     if (data_make->cache_2.used) return F_true;