orangeduck/mpc

Buffer overflow when optimising `or` nodes

jeberger opened this issue · 1 comments

gcc's -fsanitize=address option reports a buffer overflow in mpc_optimise for or nodes. Moreover, it looks like the optimisation keeps some child nodes twice and forgets some others. The following patch fixes both issues:

--- a/mpc.c Tue Mar 13 15:20:47 2018 +0100
+++ b/mpc.c Wed Mar 14 10:00:22 2018 +0100
@@ -3725,7 +3725,7 @@
       n = p->data.or.n; m = t->data.or.n;
       p->data.or.n = n + m - 1;
       p->data.or.xs = realloc(p->data.or.xs, sizeof(mpc_parser_t*) * (n + m -1));
-      memmove(p->data.or.xs + m, t->data.or.xs + 1, n * sizeof(mpc_parser_t*));
+      memmove(p->data.or.xs + m, p->data.or.xs + 1, (n - 1) * sizeof(mpc_parser_t*));
       memmove(p->data.or.xs, t->data.or.xs, m * sizeof(mpc_parser_t*));
       free(t->data.or.xs); free(t->name); free(t);
       continue;

Hi jeberger,

Thank you for your two patches - both look good - would you be interested in opening these as pull requests?

Thanks,

Dan