Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix out-of-bounds access in gototab array for caret character (#47)
When matching a caret, the expression `f->gototab[s][c] = f->curstat;` in cgoto() will index the 2D-array gototab with [s][261]. However, gototab is declared as being of size [NSTATES][NCHARS], so [32][259]. Therefore, this assignment will write to the state for character 0x1. I'm not sure how to create a regression test for this, but increasing the array size to HAT+1 values fixes the error and the tests still pass. I found this issue while running awk on a CHERI system with sub-object protection enabled. On x86, this can be reproduced by compiling awk with -fsanitize=undefined.
- Loading branch information