From eff762fe3924c25e556e488aa3e197def4f58df3 Mon Sep 17 00:00:00 2001
From: Kevin Day <kevin@kevux.org>
Date: Tue, 14 Feb 2023 23:25:42 -0600
Subject: [PATCH] Security: Invalid read or write while expanding operations.

The logic here is non-standard.
The normal logic operates on a pre-allocated basis.
That is, right before accessing the data perform the pre-allocation.

This code operates on the expectation that new variables are only added when conditionally required.
This results in a post-allocation basis where once a variable is known to expand then increment the used variable for the next pass.
The allocation checks need to happen after the increment on used.

There are some cases where this post-allocation is not happening.
This is probably a regression in the very recent bug fixes regarding expanding operations.

Be sure to ensure a clean state after the post-allocation process.
---
 level_3/fake/c/main/make/operate.c | 50 +++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 22 deletions(-)

diff --git a/level_3/fake/c/main/make/operate.c b/level_3/fake/c/main/make/operate.c
index 340deb2..e0ea57e 100644
--- a/level_3/fake/c/main/make/operate.c
+++ b/level_3/fake/c/main/make/operate.c
@@ -381,6 +381,16 @@ extern "C" {
       &data_make->parameter_value.work,
     };
 
+    *status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
+
+    if (F_status_is_error(*status)) {
+      fake_print_error(data_make->setting, *status, data_make->main->error, macro_fake_f(f_string_dynamics_increase));
+
+      return;
+    }
+
+    data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
+
     for (; i < content.used; ++i) {
 
       iki_data->variable.used = 0;
@@ -400,6 +410,8 @@ extern "C" {
 
             break;
           }
+
+          data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
         }
 
         continue;
@@ -637,6 +649,8 @@ extern "C" {
 
                         break;
                       }
+
+                      data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
                     }
 
                     *status = f_string_dynamic_append_nulless(reserved_value[k]->array[l], &data_make->cache_arguments.array[data_make->cache_arguments.used]);
@@ -716,6 +730,8 @@ extern "C" {
 
                           break;
                         }
+
+                        data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
                       }
                     }
 
@@ -821,6 +837,8 @@ extern "C" {
 
             break;
           }
+
+          data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
         }
       }
       else {
@@ -841,6 +859,8 @@ extern "C" {
 
           break;
         }
+
+        data_make->cache_arguments.array[data_make->cache_arguments.used].used = 0;
       }
     } // for
   }
@@ -1119,19 +1139,12 @@ extern "C" {
     if (F_status_is_error(status)) return status;
     if (unmatched) return F_false;
 
-    if (quote) {
-      status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-    }
-    else {
-      status = f_string_dynamics_increase_by(fake_default_allocation_small_d, &data_make->cache_arguments);
+    status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
 
-      if (F_status_is_error_not(status)) {
-        status = f_string_dynamic_append_nulless(data_make->cache_1, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
+    if (F_status_is_error_not(status) && !quote) {
+      ++data_make->cache_arguments.used;
 
-        if (F_status_is_error_not(status)) {
-          ++data_make->cache_arguments.used;
-        }
-      }
+      status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
     }
 
     if (F_status_is_error(status)) return status;
@@ -1181,17 +1194,7 @@ extern "C" {
     } // for
 
     if (context) {
-      if (quote) {
-        status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-      }
-      else {
-        status = f_string_dynamics_increase_by(fake_default_allocation_small_d, &data_make->cache_arguments);
-
-        if (F_status_is_error_not(status)) {
-          status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
-        }
-      }
-
+      status = f_string_dynamic_append_nulless(*context, &data_make->cache_arguments.array[data_make->cache_arguments.used]);
       if (F_status_is_error(status)) return status;
     }
 
@@ -1234,6 +1237,9 @@ extern "C" {
 
     if (!quote) {
       ++data_make->cache_arguments.used;
+
+      status = f_string_dynamics_increase(fake_default_allocation_small_d, &data_make->cache_arguments);
+      if (F_status_is_error(status)) return status;
     }
 
     if (data_make->cache_2.used) return F_true;
-- 
1.8.3.1