ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Grow the lex token buffer in one more place

Browse Source 
when parsing key pairs, if the '=' character fell at max_token
a protective INSIST preventing buffer overrun could be triggered.
Attempt to grow the buffer immediately before the INSIST.

Also removed an unnecessary INSIST on the opening double quote
of key buffer pair.

(cherry picked from commit 4c356d2770)
This commit is contained in:
Mark Andrews
2022-02-28 11:47:56 +11:00
parent 84a96a1bb0
commit 0b6af23d61
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/isc/lex.c
View File

@@ -670,6 +670,13 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
case lexstate_string:
if (!escaped && c == '=' &&
(options & ISC_LEXOPT_VPAIR) != 0) {
if (remaining == 0U) {
result = grow_data(lex, &remaining,
&curr, &prev);
if (result != ISC_R_SUCCESS) {
goto done;
}
}
INSIST(remaining > 0U);
*curr++ = c;
*curr = '\0';
@@ -682,7 +689,6 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
if (state == lexstate_vpairstart) {
if (c == '"' &&
(options & ISC_LEXOPT_QVPAIR) != 0) {
INSIST(remaining > 0U);
no_comments = true;
state = lexstate_qvpair;
break;