cc: prevent symbol buffer overflow

1 files changed, 19 insertions, 0 deletions

diff --git a/sys/src/cmd/cc/lex.c b/sys/src/cmd/cc/lex.c
index 837cf668c..bc05f3d1b 100644
--- a/sys/src/cmd/cc/lex.c
+++ b/sys/src/cmd/cc/lex.c
@@ -734,6 +734,8 @@ talph:
 	 * prefix has been stored
 	 */
 	for(;;) {
+		if(cp >= &symb[NSYMB-UTFmax-1])
+			goto toolong;
 		if(c >= Runeself) {
 			for(c1=0;;) {
 				cp[c1++] = c;
@@ -782,6 +784,8 @@ tnum:
 	if(c != '0') {
 		c1 |= Numdec;
 		for(;;) {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			if(isdigit(c))
@@ -793,6 +797,8 @@ tnum:
 	c = GETC();
 	if(c == 'x' || c == 'X')
 		for(;;) {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			if(isdigit(c))
@@ -809,6 +815,8 @@ tnum:
 		goto dc;
 	for(;;) {
 		if(c >= '0' && c <= '7') {
+			if(cp >= &symb[NSYMB-1])
+				goto toolong;
 			*cp++ = c;
 			c = GETC();
 			continue;
@@ -880,6 +888,8 @@ nret:
 
 casedot:
 	for(;;) {
+		if(cp >= &symb[NSYMB-1])
+			goto toolong;
 		*cp++ = c;
 		c = GETC();
 		if(!isdigit(c))
@@ -889,6 +899,8 @@ casedot:
 		goto caseout;
 
 casee:
+	if(cp >= &symb[NSYMB-2])
+		goto toolong;
 	*cp++ = 'e';
 	c = GETC();
 	if(c == '+' || c == '-') {
@@ -898,6 +910,8 @@ casee:
 	if(!isdigit(c))
 		yyerror("malformed fp constant exponent");
 	while(isdigit(c)) {
+		if(cp >= &symb[NSYMB-1])
+			goto toolong;
 		*cp++ = c;
 		c = GETC();
 	}
@@ -921,6 +935,11 @@ caseout:
 	if(c1 & Numflt)
 		return LFCONST;
 	return LDCONST;
+
+toolong:
+	yyerror("token too long: %.*s...", (int)(cp-symb), symb);
+	errorexit();
+	return -1;
 }
 
 /*