summaryrefslogtreecommitdiffstats
path: root/Tests/RunCMake
diff options
context:
space:
mode:
authorMatthias Maennich <matthias@maennich.net>2017-08-26 18:05:07 (GMT)
committerBrad King <brad.king@kitware.com>2017-08-30 15:28:51 (GMT)
commit14d9a11be9f8f7c79397e788d09bfe35dcb55efe (patch)
treeb9830e8978700c7de128abe0295562cc77a20bd8 /Tests/RunCMake
parentf4aa346538433f4c89a9963d74ea5d3f9bd60390 (diff)
downloadCMake-14d9a11be9f8f7c79397e788d09bfe35dcb55efe.zip
CMake-14d9a11be9f8f7c79397e788d09bfe35dcb55efe.tar.gz
CMake-14d9a11be9f8f7c79397e788d09bfe35dcb55efe.tar.bz2
ListFileLexer: fix heap-buffer-overflow on malicious input
In case a list file contains a null terminated string that is continued until a later space, the lexer token information got inconsistent: e.g. an argument "TEST\0FOOBAR" is passed by the lexer as a token char* = "TEST\0FOOBAR" and length 11 ^^ note: ascii 0x00 Using strdup in cmListFileLexer leads lexer->token.text to be allocated with size 5 and lexer->token.length to be set to 11 A subsequent call to this function with an argument of 5 < length <= 11 wrongly assumed a sufficiently sized buffer and therefore corrupted the heap buffer. The program might crash due to this corruption. The case "NullTerminatedArgument" is intentionally using a quite large 'rest' to increase the chance to actually hit the issue. It will reliably crash with address sanitizer enabled though. This fix addresses all rules where arbitrary characters are matched to ignore \0 in order to fall through to the rule that matches an arbitrary character as BadCharacter. Signed-off-by: Matthias Maennich <matthias@maennich.net>
Diffstat (limited to 'Tests/RunCMake')
-rw-r--r--Tests/RunCMake/Syntax/NullTerminatedArgument-result.txt1
-rw-r--r--Tests/RunCMake/Syntax/NullTerminatedArgument-stderr.txt5
-rw-r--r--Tests/RunCMake/Syntax/NullTerminatedArgument.cmakebin0 -> 106 bytes
-rw-r--r--Tests/RunCMake/Syntax/RunCMakeTest.cmake1
4 files changed, 7 insertions, 0 deletions
diff --git a/Tests/RunCMake/Syntax/NullTerminatedArgument-result.txt b/Tests/RunCMake/Syntax/NullTerminatedArgument-result.txt
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/Tests/RunCMake/Syntax/NullTerminatedArgument-result.txt
@@ -0,0 +1 @@
+1
diff --git a/Tests/RunCMake/Syntax/NullTerminatedArgument-stderr.txt b/Tests/RunCMake/Syntax/NullTerminatedArgument-stderr.txt
new file mode 100644
index 0000000..f26754e
--- /dev/null
+++ b/Tests/RunCMake/Syntax/NullTerminatedArgument-stderr.txt
@@ -0,0 +1,5 @@
+CMake Error at NullTerminatedArgument.cmake:1:
+ Parse error. Function missing ending "\)". Instead found bad character
+ with text "".
+Call Stack \(most recent call first\):
+ CMakeLists.txt:3 \(include\)
diff --git a/Tests/RunCMake/Syntax/NullTerminatedArgument.cmake b/Tests/RunCMake/Syntax/NullTerminatedArgument.cmake
new file mode 100644
index 0000000..c82aceb
--- /dev/null
+++ b/Tests/RunCMake/Syntax/NullTerminatedArgument.cmake
Binary files differ
diff --git a/Tests/RunCMake/Syntax/RunCMakeTest.cmake b/Tests/RunCMake/Syntax/RunCMakeTest.cmake
index d1fbb16..628df91 100644
--- a/Tests/RunCMake/Syntax/RunCMakeTest.cmake
+++ b/Tests/RunCMake/Syntax/RunCMakeTest.cmake
@@ -55,6 +55,7 @@ run_cmake(BracketNoSpace5)
run_cmake(Escape1)
run_cmake(Escape2)
run_cmake(EscapeCharsAllowed)
+run_cmake(NullTerminatedArgument)
include("${RunCMake_SOURCE_DIR}/EscapeCharsDisallowed.cmake")
run_cmake(ParenNoSpace0)
run_cmake(ParenNoSpace1)