Potential crash with non-integer array size #585

ehaas · 2023-11-27T19:29:16Z

Strange one found via fuzzing. If the array size specifier is .invalid:

[-w-f]" "f [f]" "f[-w-f]

panic: reached unreachable code
/Users/ehaas/source/arocc/src/aro/Type.zig:2345:21: 0x1080024ce in fromType (arocc)
            else => unreachable,
                    ^
/Users/ehaas/source/arocc/src/aro/Parser.zig:435:30: 0x108000b88 in typeStr (arocc)
    if (Type.Builder.fromType(ty).str(p.comp.langopts)) |str| return str;
                             ^
/Users/ehaas/source/arocc/src/aro/Parser.zig:2984:70: 0x10817ad8b in directDeclarator (arocc)
            try p.errStr(.array_size_non_int, size_tok, try p.typeStr(size.ty));
                                                                     ^
/Users/ehaas/source/arocc/src/aro/Parser.zig:2879:38: 0x1080e7d99 in declarator (arocc)
        d.ty = try p.directDeclarator(d.ty, &d, kind);
                                     ^
/Users/ehaas/source/arocc/src/aro/Parser.zig:1746:31: 0x1080e529c in initDeclarator (arocc)
        .d = (try p.declarator(decl_spec.ty, .normal)) orelse return null,
                              ^

The text was updated successfully, but these errors were encountered:

Vexu · 2023-11-27T21:13:55Z

Fixed by something like:

diff --git a/src/aro/Parser.zig b/src/aro/Parser.zig
index ebaa318..3b84321 100644
--- a/src/aro/Parser.zig
+++ b/src/aro/Parser.zig
@@ -2980,6 +2980,7 @@ fn directDeclarator(p: *Parser, base_type: Type, d: *Declarator, kind: Declarato
         if (max_bits > 61) max_bits = 61;
         const max_bytes = (@as(u64, 1) << @truncate(max_bits)) - 1;
 
+        if (size.ty.is(.invalid)) return Type.invalid;
         if (!size.ty.isInt()) {
             try p.errStr(.array_size_non_int, size_tok, try p.typeStr(size.ty));
             return error.ParsingFailed;

ehaas · 2023-11-28T04:55:47Z

Here's an alternate path to trigger it:

struct Foo {
    int a;
} a;

char *f(char *arg) {
    return arg + a?a;
}

Do you think we should check in the typeStr functions? I'm guessing any place we call that could potentially have an invalid type

Vexu · 2023-11-28T11:49:39Z

That would solve the issue but it'd be nicer to properly handle invalid where needed. Maybe we could add a release mode check for invalid in typeStr* so that release modes don't crash?

Closes Vexu#585 Co-authored-by: Veikka Tuominen <git@vexu.eu>

ehaas added bug Something isn't working crash A bug that causes the compiler to crash labels Nov 27, 2023

ehaas added a commit to ehaas/arocc that referenced this issue Dec 14, 2023

Parser: check for invalid type as array size

5533802

Closes Vexu#585 Co-authored-by: Veikka Tuominen <git@vexu.eu>

ehaas mentioned this issue Dec 14, 2023

Add protection from calling typeStr with an invalid type #601

Merged

ehaas added a commit to ehaas/arocc that referenced this issue Dec 15, 2023

Parser: check for invalid type as array size

bbb912e

Closes Vexu#585 Co-authored-by: Veikka Tuominen <git@vexu.eu>

Vexu linked a pull request Feb 7, 2024 that will close this issue

Add protection from calling typeStr with an invalid type #601

Merged

Vexu closed this as completed in #601 Feb 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential crash with non-integer array size #585

Potential crash with non-integer array size #585

ehaas commented Nov 27, 2023

Vexu commented Nov 27, 2023

ehaas commented Nov 28, 2023 •

edited

Loading

Vexu commented Nov 28, 2023

Potential crash with non-integer array size #585

Potential crash with non-integer array size #585

Comments

ehaas commented Nov 27, 2023

Vexu commented Nov 27, 2023

ehaas commented Nov 28, 2023 • edited Loading

Vexu commented Nov 28, 2023

ehaas commented Nov 28, 2023 •

edited

Loading