Merge pull request #83 from sashashura/sashashura-patch-1-1

Fix Heap-buffer-overflow READ in ODDLParser::OpenDDLParser::parseFloatingLiteral
kimkulling · Aug 12, 2023 · 60f2d08 · 60f2d08
2 parents 3fbbe5e + f09d53e
commit 60f2d08
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/code/OpenDDLParser.cpp b/code/OpenDDLParser.cpp
@@ -72,7 +72,7 @@ const char *getTypeToken(Value::ValueType type) {
     return Grammar::PrimitiveTypeToken[(size_t)type];
 }
 
-static void logInvalidTokenError(char *in, const std::string &exp, OpenDDLParser::logCallback callback) {
+static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) {
     if (callback) {
         std::string full(in);
         std::string part(full.substr(0, 50));
@@ -419,8 +419,8 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) {
         }
 
         in = lookForNextToken(in, end);
-        if (*in != '}') {
-            logInvalidTokenError(in, std::string(Grammar::CloseBracketToken), m_logCallback);
+        if (in == end || *in != '}') {
+            logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback);
             return nullptr;
         } else {
             //in++;
@@ -737,7 +737,7 @@ char *OpenDDLParser::parseFloatingLiteral(char *in, char *end, Value **floating,
 
     in = lookForNextToken(in, end);
     char *start(in);
-    while (!isSeparator(*in) && in != end) {
+    while (in != end && !isSeparator(*in)) {
         ++in;
     }
 
@@ -912,10 +912,10 @@ char *OpenDDLParser::parseDataList(char *in, char *end, Value::ValueType type, V
     }
 
     in = lookForNextToken(in, end);
-    if (*in == '{') {
+    if (in != end && *in == '{') {
         ++in;
         Value *current(nullptr), *prev(nullptr);
-        while ('}' != *in) {
+        while (in != end && '}' != *in) {
             current = nullptr;
             in = lookForNextToken(in, end);
             if (Value::ValueType::ddl_ref == type) {
@@ -973,11 +973,12 @@ char *OpenDDLParser::parseDataList(char *in, char *end, Value::ValueType type, V
             }
 
             in = getNextSeparator(in, end);
-            if (',' != *in && Grammar::CloseBracketToken[0] != *in && !isSpace(*in)) {
+            if (in == end || (',' != *in && Grammar::CloseBracketToken[0] != *in && !isSpace(*in))) {
                 break;
             }
         }
-        ++in;
+        if (in != end)
+            ++in;
     }
 
     return in;

diff --git a/include/openddlparser/OpenDDLParserUtils.h b/include/openddlparser/OpenDDLParserUtils.h
@@ -439,7 +439,7 @@ inline bool isEndofLine(const T in) {
 
 template <class T>
 inline static T *getNextSeparator(T *in, T *end) {
-    while (!isSeparator(*in) || in == end) {
+    while (in != end && !isSeparator(*in)) {
         ++in;
     }
     return in;