On Mon, 11 Apr 2011, Ed Smith-Rowland wrote:
> + case CPP_CHAR_USERDEF:
> + case CPP_WCHAR_USERDEF:
> + case CPP_CHAR16_USERDEF:
> + case CPP_CHAR32_USERDEF:
> + {
> + tree literal;
> + cpp_token temp_tok = *tok;
> + char suffix[256] = "";
> + cpp_get_userdef_suffix (tok->val.str, '\'', suffix);
This fixed-length buffer appears to have a buffer overrun vulnerability;
you must avoid such overruns in the presence of suffixes of arbitrary
length (up to 2GB, anyway, so don't assume they are short enough to
allocate on the stack; once you get past values representable in "int"
there are lots of pre-existing problems including "int" being used for the
length of a STRING_CST) unless there is some other reason long suffixes
cannot occur.
> + case CPP_STRING_USERDEF:
> + case CPP_WSTRING_USERDEF:
> + case CPP_STRING16_USERDEF:
> + case CPP_STRING32_USERDEF:
> + case CPP_UTF8STRING_USERDEF:
> + {
> + tree literal;
> + char suffix[256] = "";
> + cpp_get_userdef_suffix (tok->val.str, '"', suffix);
Likewise.
> + copylen -= strlen(suffix);
Missing space before '('. There are lots of other spacing problems in
this patch - spaces missing before '(', or in casts, or spaces present
where they shouldn't be.
> + char suffix[256] = "", curr_suffix[256] = "";
More fixed-size buffers that need fixing.
> + /* If the numeric argument didn't work, look for a raw literal
> + operator taking a const char* argument consisting of the number
> + in string format. */
> + char str[256] = "";
And yet more.
> +/* Return an identifier node for a user-defined literal operator.
> + The suffix identifier is chained to the operator name identifier. */
> +
> +static tree
> +cp_literal_operator_id (const char* name)
> +{
> + tree identifier;
> + char buffer[256];
And more.
> +static void
> +write_literal_operator_name (tree identifier)
> +{
> + tree suffix_id;
> + char buffer[256];
And more.
> + if (type == CPP_STRING_USERDEF )
And here you have lots of cases of excess space before ')'.
--
Joseph S. Myers
jos...@codesourcery.com
