crust icon indicating copy to clipboard operation
crust copied to clipboard

Published 20 hours ago verified publisher icon NishanthSpShetty

Index overflow access in Parser::parse_arguments()

Open virtualritz opened this issue 4 years ago • 6 comments

This line will cause a crash when head equals lexeme.len():

stream.push(lexeme[head + 1].get_token_value()); //int f(int val)

thread 'main' panicked at 'index out of bounds: the len is 3 but the index is 3', src/library/parser/mod.rs:832:25

virtualritz avatar Apr 10 '20 11:04 virtualritz

Here is another one:

thread 'main' panicked at 'index out of bounds: the len is 178 but the index is 178', src/library/parser/mod.rs:432:27

virtualritz avatar Apr 10 '20 11:04 virtualritz

For reference, I am trying to transpile this file: https://github.com/darktable-org/darktable/blob/master/src/iop/filmic.c

virtualritz avatar Apr 10 '20 11:04 virtualritz

Did you manage to find a workaround? I'm having the same issue

guilhermedelyra avatar May 08 '20 19:05 guilhermedelyra

Needs fixing. It was no important enough for me to bother ... I translated that source manually. :)

virtualritz avatar May 08 '20 22:05 virtualritz

:( I tried it too, and I have 5 files that can be easily merged to single one (~1.5 MB). 4 of the files have same problem. the last (smallest file only 188 kB) run for already 30 minutes using less than one CPU core and no log after the file size :( I tried to return vec!["//TODO function :(".to_string()]; at the beginning of parse_function, where it fails next, and it printed:

Input file size : 1607527bytes
TokenizingInvoking Parser .... 564 : unop
 564 : unop
 564 : unop
 564 : unop
 564 : unop

and then nothing. I was trying to print also lexeme: &Vec<Token> but I have no idea what it is, or what it should be, because the line numbers does not correspond to line numbers in the input file :(

There is no doc?, or did I just miss it, when I was looking to the repo? I can not help if I have no idea why it is doing this. But generally lexeme[head + 1] seems like bad idea, especially when the loop condition is head < lexeme.len()

Kubikx avatar Jul 15 '20 10:07 Kubikx

I managed to "isolate" one of these errors. It happens for a basic function like this:

void blake2s_final( blake2s_state *S, byte *digest )
{
  for( int i = 0; i < 8; ++i )
    RawPut4( S->h[i], digest + 4 * i );
}

Strangely enough this particular case is solved by adding braces:

void blake2s_final( blake2s_state *S, byte *digest )
{
  for( int i = 0; i < 8; ++i ) {
    RawPut4( S->h[i], digest + 4 * i );
  }
}

I say this is strange because this would imply that for-loops require braces, ~~but I've found cases where single line for-loops don't require braces.~~ It looks like I was wrong, for-loops seem to require braces.

Additionally, it looks like pre-processing directives for conditional compilation (#ifdef,#ifndef, etc.) causes the error as well. The use of headers also appears to mangle the output .rs file -- it probably has to do with the added commented code (since headers aren't supported).

If you're looking for test files, I recommend trying the source code of UnRAR from rarlab.com. All of the files I've tested in here (which doesn't mean all of them, just a lot of them) seem to give the index overflow error. The isolated example(s) above came from blake2s.cpp in the source code (it contains all the cases I mentioned that lead to the error). The version of source code I used is 6.0.5, but 6.0.6 works as well.

YenForYang avatar May 19 '21 20:05 YenForYang