From b29842a818ea978a85c0646cd3c2b3191b0498fc Mon Sep 17 00:00:00 2001 From: Brad King Date: Tue, 26 Jun 2018 11:51:44 -0400 Subject: ListFileLexer: Do not match null bytes in input Extend the fix from commit v3.10.0-rc1~188^2 (ListFileLexer: fix heap-buffer-overflow on malicious input, 2017-08-26) to apply to all lexer token matches. Replace all `.` with `[^\0\n]`. Update all `[^...]` match expressions to not match `\0`. We cannot safely process null bytes in strings. Fixes: #18124 --- Source/LexerParser/cmListFileLexer.c | 196 ++++++++++----------- Source/LexerParser/cmListFileLexer.in.l | 6 +- .../RunCMake/Syntax/NullAfterBackslash-result.txt | 1 + .../RunCMake/Syntax/NullAfterBackslash-stderr.txt | 5 + Tests/RunCMake/Syntax/NullAfterBackslash.cmake | Bin 0 -> 113 bytes Tests/RunCMake/Syntax/RunCMakeTest.cmake | 1 + 6 files changed, 106 insertions(+), 103 deletions(-) create mode 100644 Tests/RunCMake/Syntax/NullAfterBackslash-result.txt create mode 100644 Tests/RunCMake/Syntax/NullAfterBackslash-stderr.txt create mode 100644 Tests/RunCMake/Syntax/NullAfterBackslash.cmake diff --git a/Source/LexerParser/cmListFileLexer.c b/Source/LexerParser/cmListFileLexer.c index c6f524c..eb37337 100644 --- a/Source/LexerParser/cmListFileLexer.c +++ b/Source/LexerParser/cmListFileLexer.c @@ -576,16 +576,16 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static const flex_int16_t yy_accept[81] = +static const flex_int16_t yy_accept[79] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 4, 25, 13, 22, 1, 16, 3, 13, 5, 6, 7, - 15, 23, 23, 17, 19, 20, 21, 17, 10, 11, - 8, 10, 12, 9, 24, 4, 13, 0, 13, 0, - 22, 0, 0, 7, 13, 0, 13, 0, 2, 0, - 13, 17, 0, 18, 10, 8, 4, 0, 14, 0, - 0, 0, 0, 14, 0, 0, 14, 0, 0, 0, - 2, 14, 0, 0, 0, 0, 0, 0, 0, 0 + 15, 23, 23, 17, 19, 20, 21, 24, 10, 11, + 8, 12, 9, 4, 13, 0, 13, 0, 22, 0, + 0, 7, 13, 0, 13, 0, 2, 0, 13, 17, + 0, 18, 10, 8, 4, 0, 14, 0, 0, 0, + 0, 14, 0, 0, 14, 0, 0, 0, 2, 14, + 0, 0, 0, 0, 0, 0, 0, 0 } ; static const YY_CHAR yy_ec[256] = @@ -623,89 +623,87 @@ static const YY_CHAR yy_ec[256] = static const YY_CHAR yy_meta[17] = { 0, 1, 1, 2, 3, 4, 3, 1, 3, 5, 6, - 1, 6, 1, 1, 7, 8 + 1, 6, 1, 1, 7, 2 } ; -static const flex_int16_t yy_base[99] = +static const flex_int16_t yy_base[97] = { 0, 0, 0, 14, 28, 42, 56, 70, 84, 18, 19, - 69, 100, 16, 323, 323, 55, 59, 323, 323, 13, - 115, 0, 323, 52, 323, 323, 21, 51, 0, 323, - 53, 0, 323, 323, 323, 0, 0, 126, 55, 0, - 25, 25, 53, 0, 0, 136, 53, 0, 57, 0, - 0, 42, 50, 323, 0, 43, 0, 146, 160, 45, - 172, 43, 26, 0, 42, 184, 0, 42, 195, 40, - 323, 40, 0, 38, 37, 34, 32, 31, 23, 323, - 211, 219, 227, 235, 243, 251, 259, 267, 274, 281, - 285, 291, 298, 302, 304, 310, 314, 316 + 68, 100, 16, 298, 298, 54, 58, 298, 298, 13, + 115, 0, 298, 51, 298, 298, 21, 298, 0, 298, + 53, 298, 298, 0, 0, 126, 55, 0, 25, 25, + 53, 0, 0, 136, 53, 0, 57, 0, 0, 42, + 50, 298, 0, 43, 0, 146, 160, 45, 172, 43, + 26, 0, 42, 177, 0, 42, 188, 40, 298, 40, + 0, 38, 37, 34, 32, 31, 23, 298, 197, 204, + 211, 218, 225, 232, 239, 245, 252, 259, 262, 268, + 275, 278, 280, 286, 289, 291 } ; -static const flex_int16_t yy_def[99] = +static const flex_int16_t yy_def[97] = { 0, - 80, 1, 81, 81, 82, 82, 83, 83, 84, 84, - 80, 80, 80, 80, 80, 80, 12, 80, 80, 12, - 80, 85, 80, 86, 80, 80, 86, 86, 87, 80, - 80, 87, 80, 80, 80, 88, 12, 89, 12, 90, - 80, 80, 91, 20, 12, 92, 12, 21, 80, 93, - 12, 86, 86, 80, 87, 80, 88, 89, 80, 58, - 89, 94, 80, 59, 91, 92, 59, 66, 92, 95, - 80, 59, 96, 97, 94, 98, 95, 97, 98, 0, - 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80 + 78, 1, 79, 79, 80, 80, 81, 81, 82, 82, + 78, 78, 78, 78, 78, 78, 12, 78, 78, 12, + 78, 83, 78, 84, 78, 78, 84, 78, 85, 78, + 78, 78, 78, 86, 12, 87, 12, 88, 78, 78, + 89, 20, 12, 90, 12, 21, 78, 91, 12, 84, + 84, 78, 85, 78, 86, 87, 78, 56, 87, 92, + 78, 57, 89, 90, 57, 64, 90, 93, 78, 57, + 94, 95, 92, 96, 93, 95, 96, 0, 78, 78, + 78, 78, 78, 78, 78, 78, 78, 78, 78, 78, + 78, 78, 78, 78, 78, 78 } ; -static const flex_int16_t yy_nxt[340] = +static const flex_int16_t yy_nxt[315] = { 0, 12, 13, 14, 13, 15, 16, 17, 18, 19, 12, - 12, 20, 21, 22, 12, 23, 25, 41, 26, 41, - 14, 14, 44, 54, 44, 52, 41, 27, 41, 28, - 25, 66, 26, 35, 35, 63, 63, 49, 49, 58, - 67, 27, 66, 28, 30, 59, 58, 62, 67, 76, - 64, 59, 74, 56, 52, 53, 31, 32, 30, 71, - 70, 64, 62, 56, 53, 53, 43, 42, 80, 80, - 31, 32, 30, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 34, 35, 30, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 34, 35, - - 37, 80, 80, 80, 38, 80, 39, 80, 80, 37, - 37, 37, 37, 40, 37, 45, 80, 80, 80, 46, - 80, 47, 80, 80, 45, 48, 45, 49, 50, 45, - 59, 80, 60, 80, 80, 80, 80, 80, 80, 61, - 67, 80, 68, 80, 80, 80, 80, 80, 80, 69, - 59, 80, 60, 80, 80, 80, 80, 80, 80, 61, - 59, 80, 80, 80, 38, 80, 72, 80, 80, 59, - 59, 59, 59, 73, 59, 58, 80, 58, 80, 58, - 58, 80, 80, 80, 80, 80, 80, 58, 67, 80, - 68, 80, 80, 80, 80, 80, 80, 69, 66, 80, - - 66, 80, 66, 66, 80, 80, 80, 80, 80, 80, - 66, 24, 24, 24, 24, 24, 24, 24, 24, 29, - 29, 29, 29, 29, 29, 29, 29, 33, 33, 33, - 33, 33, 33, 33, 33, 36, 36, 36, 36, 36, - 36, 36, 36, 51, 80, 51, 51, 51, 51, 51, - 51, 52, 80, 52, 80, 52, 52, 52, 52, 55, - 80, 55, 55, 55, 55, 80, 55, 57, 80, 57, - 57, 57, 57, 57, 58, 80, 80, 58, 80, 58, - 58, 37, 80, 37, 37, 37, 37, 37, 37, 65, - 65, 66, 80, 80, 66, 80, 66, 66, 45, 80, - - 45, 45, 45, 45, 45, 45, 75, 75, 77, 77, - 59, 80, 59, 59, 59, 59, 59, 59, 78, 78, - 79, 79, 11, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80 + 12, 20, 21, 22, 12, 23, 25, 39, 26, 39, + 14, 14, 42, 52, 42, 50, 39, 27, 39, 28, + 25, 64, 26, 28, 28, 61, 61, 47, 47, 56, + 65, 27, 64, 28, 30, 57, 56, 60, 65, 74, + 62, 57, 72, 54, 50, 51, 31, 28, 30, 69, + 68, 62, 60, 54, 51, 41, 40, 78, 78, 78, + 31, 28, 30, 78, 78, 78, 78, 78, 78, 78, + 78, 78, 78, 78, 33, 28, 30, 78, 78, 78, + 78, 78, 78, 78, 78, 78, 78, 78, 33, 28, + + 35, 78, 78, 78, 36, 78, 37, 78, 78, 35, + 35, 35, 35, 38, 35, 43, 78, 78, 78, 44, + 78, 45, 78, 78, 43, 46, 43, 47, 48, 43, + 57, 78, 58, 78, 78, 78, 78, 78, 78, 59, + 65, 78, 66, 78, 78, 78, 78, 78, 78, 67, + 57, 78, 58, 78, 78, 78, 78, 78, 78, 59, + 57, 78, 78, 78, 36, 78, 70, 78, 78, 57, + 57, 57, 57, 71, 57, 56, 78, 56, 78, 56, + 56, 65, 78, 66, 78, 78, 78, 78, 78, 78, + 67, 64, 78, 64, 78, 64, 64, 24, 24, 24, + + 24, 24, 24, 24, 29, 29, 29, 29, 29, 29, + 29, 32, 32, 32, 32, 32, 32, 32, 34, 34, + 34, 34, 34, 34, 34, 49, 78, 49, 49, 49, + 49, 49, 50, 78, 50, 78, 50, 50, 50, 53, + 78, 53, 53, 53, 53, 55, 78, 55, 55, 55, + 55, 55, 56, 78, 78, 56, 78, 56, 56, 35, + 78, 35, 35, 35, 35, 35, 63, 63, 64, 78, + 78, 64, 78, 64, 64, 43, 78, 43, 43, 43, + 43, 43, 73, 73, 75, 75, 57, 78, 57, 57, + 57, 57, 57, 76, 76, 77, 77, 11, 78, 78, + + 78, 78, 78, 78, 78, 78, 78, 78, 78, 78, + 78, 78, 78, 78 } ; -static const flex_int16_t yy_chk[340] = +static const flex_int16_t yy_chk[315] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 13, 3, 13, - 9, 10, 20, 27, 20, 27, 41, 3, 41, 3, - 4, 79, 4, 9, 10, 42, 63, 42, 63, 78, - 77, 4, 76, 4, 5, 75, 74, 72, 70, 68, - 65, 62, 60, 56, 53, 52, 5, 5, 6, 49, - 47, 43, 39, 31, 28, 24, 17, 16, 11, 0, + 9, 10, 20, 27, 20, 27, 39, 3, 39, 3, + 4, 77, 4, 9, 10, 40, 61, 40, 61, 76, + 75, 4, 74, 4, 5, 73, 72, 70, 68, 66, + 63, 60, 58, 54, 51, 50, 5, 5, 6, 47, + 45, 41, 37, 31, 24, 17, 16, 11, 0, 0, 6, 6, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 7, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, @@ -713,29 +711,27 @@ static const flex_int16_t yy_chk[340] = 12, 0, 0, 0, 12, 0, 12, 0, 0, 12, 12, 12, 12, 12, 12, 21, 0, 0, 0, 21, 0, 21, 0, 0, 21, 21, 21, 21, 21, 21, - 38, 0, 38, 0, 0, 0, 0, 0, 0, 38, - 46, 0, 46, 0, 0, 0, 0, 0, 0, 46, - 58, 0, 58, 0, 0, 0, 0, 0, 0, 58, - 59, 0, 0, 0, 59, 0, 59, 0, 0, 59, - 59, 59, 59, 59, 59, 61, 0, 61, 0, 61, - 61, 0, 0, 0, 0, 0, 0, 61, 66, 0, - 66, 0, 0, 0, 0, 0, 0, 66, 69, 0, - - 69, 0, 69, 69, 0, 0, 0, 0, 0, 0, - 69, 81, 81, 81, 81, 81, 81, 81, 81, 82, - 82, 82, 82, 82, 82, 82, 82, 83, 83, 83, - 83, 83, 83, 83, 83, 84, 84, 84, 84, 84, - 84, 84, 84, 85, 0, 85, 85, 85, 85, 85, - 85, 86, 0, 86, 0, 86, 86, 86, 86, 87, - 0, 87, 87, 87, 87, 0, 87, 88, 0, 88, - 88, 88, 88, 88, 89, 0, 0, 89, 0, 89, - 89, 90, 0, 90, 90, 90, 90, 90, 90, 91, - 91, 92, 0, 0, 92, 0, 92, 92, 93, 0, - - 93, 93, 93, 93, 93, 93, 94, 94, 95, 95, - 96, 0, 96, 96, 96, 96, 96, 96, 97, 97, - 98, 98, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80 + 36, 0, 36, 0, 0, 0, 0, 0, 0, 36, + 44, 0, 44, 0, 0, 0, 0, 0, 0, 44, + 56, 0, 56, 0, 0, 0, 0, 0, 0, 56, + 57, 0, 0, 0, 57, 0, 57, 0, 0, 57, + 57, 57, 57, 57, 57, 59, 0, 59, 0, 59, + 59, 64, 0, 64, 0, 0, 0, 0, 0, 0, + 64, 67, 0, 67, 0, 67, 67, 79, 79, 79, + + 79, 79, 79, 79, 80, 80, 80, 80, 80, 80, + 80, 81, 81, 81, 81, 81, 81, 81, 82, 82, + 82, 82, 82, 82, 82, 83, 0, 83, 83, 83, + 83, 83, 84, 0, 84, 0, 84, 84, 84, 85, + 0, 85, 85, 85, 85, 86, 0, 86, 86, 86, + 86, 86, 87, 0, 0, 87, 0, 87, 87, 88, + 0, 88, 88, 88, 88, 88, 89, 89, 90, 0, + 0, 90, 0, 90, 90, 91, 0, 91, 91, 91, + 91, 91, 92, 92, 93, 93, 94, 0, 94, 94, + 94, 94, 94, 95, 95, 96, 96, 78, 78, 78, + + 78, 78, 78, 78, 78, 78, 78, 78, 78, 78, + 78, 78, 78, 78 } ; /* Table of booleans, true if rule could match eol. */ @@ -1093,13 +1089,13 @@ yy_match: while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 79 ) yy_c = yy_meta[yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 323 ); + while ( yy_base[yy_current_state] != 298 ); yy_find_action: yy_act = yy_accept[yy_current_state]; @@ -1674,7 +1670,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 79 ) yy_c = yy_meta[yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; @@ -1703,11 +1699,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 79 ) yy_c = yy_meta[yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; - yy_is_jam = (yy_current_state == 80); + yy_is_jam = (yy_current_state == 78); (void)yyg; return yy_is_jam ? 0 : yy_current_state; diff --git a/Source/LexerParser/cmListFileLexer.in.l b/Source/LexerParser/cmListFileLexer.in.l index f2fd538..23c7e49 100644 --- a/Source/LexerParser/cmListFileLexer.in.l +++ b/Source/LexerParser/cmListFileLexer.in.l @@ -74,7 +74,7 @@ static void cmListFileLexerDestroy(cmListFileLexer* lexer); %x COMMENT MAKEVAR \$\([A-Za-z0-9_]*\) -UNQUOTED ([^ \0\t\r\n\(\)#\\\"[=]|\\.) +UNQUOTED ([^ \0\t\r\n\(\)#\\\"[=]|\\[^\0\n]) LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\" %% @@ -156,7 +156,7 @@ LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\" return 1; } -([^]\n])+ { +([^]\0\n])+ { cmListFileLexerAppend(lexer, yytext, yyleng); lexer->column += yyleng; } @@ -208,7 +208,7 @@ LEGACY {MAKEVAR}|{UNQUOTED}|\"({MAKEVAR}|{UNQUOTED}|[ \t[=])*\" BEGIN(STRING); } -([^\\\n\"]|\\.)+ { +([^\\\0\n\"]|\\[^\0\n])+ { cmListFileLexerAppend(lexer, yytext, yyleng); lexer->column += yyleng; } diff --git a/Tests/RunCMake/Syntax/NullAfterBackslash-result.txt b/Tests/RunCMake/Syntax/NullAfterBackslash-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/Syntax/NullAfterBackslash-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/Syntax/NullAfterBackslash-stderr.txt b/Tests/RunCMake/Syntax/NullAfterBackslash-stderr.txt new file mode 100644 index 0000000..e7ba440 --- /dev/null +++ b/Tests/RunCMake/Syntax/NullAfterBackslash-stderr.txt @@ -0,0 +1,5 @@ +CMake Error at NullAfterBackslash.cmake:1: + Parse error. Function missing ending "\)". Instead found bad character + with text "\\". +Call Stack \(most recent call first\): + CMakeLists.txt:3 \(include\) diff --git a/Tests/RunCMake/Syntax/NullAfterBackslash.cmake b/Tests/RunCMake/Syntax/NullAfterBackslash.cmake new file mode 100644 index 0000000..ed96904 Binary files /dev/null and b/Tests/RunCMake/Syntax/NullAfterBackslash.cmake differ diff --git a/Tests/RunCMake/Syntax/RunCMakeTest.cmake b/Tests/RunCMake/Syntax/RunCMakeTest.cmake index 628df91..b8f5fd0 100644 --- a/Tests/RunCMake/Syntax/RunCMakeTest.cmake +++ b/Tests/RunCMake/Syntax/RunCMakeTest.cmake @@ -55,6 +55,7 @@ run_cmake(BracketNoSpace5) run_cmake(Escape1) run_cmake(Escape2) run_cmake(EscapeCharsAllowed) +run_cmake(NullAfterBackslash) run_cmake(NullTerminatedArgument) include("${RunCMake_SOURCE_DIR}/EscapeCharsDisallowed.cmake") run_cmake(ParenNoSpace0) -- cgit v0.12