From 2a8b6ee438067fd3cc2f85685b727d726136bfb8 Mon Sep 17 00:00:00 2001 From: Adam Dickmeiss Date: Fri, 11 Apr 2003 15:53:39 +0000 Subject: [PATCH] Fix CQL lex buffer overflow. --- CHANGELOG | 2 ++ cql/Makefile.am | 4 ++-- cql/cql.y | 16 +++++++++++++--- cql/lexer.c | 39 +++++++++++++++++++++++++-------------- 4 files changed, 42 insertions(+), 19 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b80bb9c..6df3ab2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,7 @@ Possible compatibility problems with earlier versions marked with '*'. +Fix CQL lex buffer overflow. + recordPacking. SRU protocol support for frontend server. diff --git a/cql/Makefile.am b/cql/Makefile.am index c0c875e..d47cbf1 100644 --- a/cql/Makefile.am +++ b/cql/Makefile.am @@ -1,4 +1,4 @@ -# $Id: Makefile.am,v 1.1 2003-01-06 08:20:27 adam Exp $ +# $Id: Makefile.am,v 1.2 2003-04-11 15:53:39 adam Exp $ AM_YFLAGS=-p cql_ AM_CPPFLAGS=-I$(top_srcdir)/include @@ -14,4 +14,4 @@ libcql_la_SOURCES=cql.y cqlstdio.c cqltransform.c \ cql2pqf_SOURCES = cql2pqf.c cql2xcql_SOURCES = cql2xcql.c -LDADD=libcql.la +LDADD=libcql.la ../util/libutil.la diff --git a/cql/cql.y b/cql/cql.y index 582be81..daa3135 100644 --- a/cql/cql.y +++ b/cql/cql.y @@ -1,4 +1,4 @@ -/* $Id: cql.y,v 1.3 2003-02-14 18:49:23 adam Exp $ +/* $Id: cql.y,v 1.4 2003-04-11 15:53:39 adam Exp $ Copyright (C) 2002-2003 Index Data Aps @@ -13,14 +13,15 @@ See the file LICENSE. #include #include #include +#include #include typedef struct { struct cql_node *rel; struct cql_node *cql; - char buf[80]; + char *buf; size_t len; - size_t max; + size_t size; } token; struct cql_parser { @@ -30,6 +31,7 @@ See the file LICENSE. int last_error; int last_pos; struct cql_node *top; + NMEM nmem; }; #define YYSTYPE token @@ -252,12 +254,20 @@ CQL_parser cql_parser_create(void) { CQL_parser cp = (CQL_parser) malloc (sizeof(*cp)); + cp->top = 0; + cp->getbyte = 0; + cp->ungetbyte = 0; + cp->client_data = 0; + cp->last_error = 0; + cp->last_pos = 0; + cp->nmem = nmem_create(); return cp; } void cql_parser_destroy(CQL_parser cp) { cql_node_destroy(cp->top); + nmem_destroy(cp->nmem); free (cp); } diff --git a/cql/lexer.c b/cql/lexer.c index 8a26522..0415a45 100644 --- a/cql/lexer.c +++ b/cql/lexer.c @@ -1,4 +1,4 @@ -/* $Id: lexer.c,v 1.1 2003-01-06 08:20:27 adam Exp $ +/* $Id: lexer.c,v 1.2 2003-04-11 15:53:39 adam Exp $ Copyright (C) 2002-2003 Index Data Aps @@ -6,6 +6,20 @@ This file is part of the YAZ toolkit. See the file LICENSE. */ + +static void putb(YYSTYPE *lval, CQL_parser cp, int c) +{ + if (lval->len >= lval->size) + { + char *nb = nmem_malloc(cp->nmem, (lval->size = lval->len * 2 + 20)); + memcpy (nb, lval->buf, lval->len); + lval->buf = nb; + } + if (c) + lval->buf[lval->len++] = c; + lval->buf[lval->len] = '\0'; +} + /* * bison lexer for CQL. */ @@ -24,17 +38,18 @@ int yylex(YYSTYPE *lval, void *vp) } while (isspace(c)); lval->rel = 0; lval->len = 0; + lval->size = 10; + lval->buf = nmem_malloc(cp->nmem, lval->size); if (strchr("()=>buf[lval->len++] = c; + putb(lval, cp, c); if (c == '>') { c1 = cp->getbyte(cp->client_data); if (c1 == '=') { - lval->buf[lval->len++] = c1; - lval->buf[lval->len] = 0; + putb(lval, cp, c1); return GE; } else @@ -45,20 +60,17 @@ int yylex(YYSTYPE *lval, void *vp) c1 = cp->getbyte(cp->client_data); if (c1 == '=') { - lval->buf[lval->len++] = c1; - lval->buf[lval->len] = 0; + putb(lval, cp, c1); return LE; } else if (c1 == '>') { - lval->buf[lval->len++] = c1; - lval->buf[lval->len] = 0; + putb(lval, cp, c1); return NE; } else cp->ungetbyte(c1, cp->client_data); } - lval->buf[lval->len] = 0; return c; } if (c == '"') @@ -67,21 +79,20 @@ int yylex(YYSTYPE *lval, void *vp) { if (c == '\\') c = cp->getbyte(cp->client_data); - lval->buf[lval->len++] = c; + putb(lval, cp, c); } - lval->buf[lval->len] = 0; + putb(lval, cp, 0); } else { - lval->buf[lval->len++] = c; + putb(lval, cp, c); while ((c = cp->getbyte(cp->client_data)) != 0 && !strchr(" \n()=<>/", c)) { if (c == '\\') c = cp->getbyte(cp->client_data); - lval->buf[lval->len++] = c; + putb(lval, cp, c); } - lval->buf[lval->len] = 0; #if YYDEBUG printf ("got %s\n", lval->buf); #endif -- 1.7.10.4