From 3a8dcfa8b8ee6311cc6426e12580cfd179d3eb1d Mon Sep 17 00:00:00 2001 From: lemon Date: Tue, 17 Jun 2025 10:34:01 +0200 Subject: forbid too long arrays & strings --- pez.c | 19 +++++++++++++++++-- pez.h | 1 + 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/pez.c b/pez.c index f341c78..72272ca 100644 --- a/pez.c +++ b/pez.c @@ -500,6 +500,8 @@ splittable64(uint64_t x) /* Objects */ /***********/ +#define FX_MAX_INT 0x7FFFF + static Proto * newproto(PezContext *cx, const char *file, const char *name, int line) { @@ -738,6 +740,10 @@ box_str(PezContext *cx, Val *pv, const char *s, int len) pv->r = r; return 1; } + if (len > FX_MAX_INT) { + cx->err = PEZ_ETooBig; + return 0; + } TRY(slot = strpool_lookup(cx, s, len)); if (!*slot) { Str *o = newobj(cx, PEZ_TString, sizeof(Str) + len + 1); @@ -762,10 +768,14 @@ sizeofstr(Str *str) static Array * newarr(PezContext *cx, uint cap) { - Array *arr = newobj(cx, PEZ_TArray, sizeof *arr); - if (!arr) { + Array *arr; + if (cap > FX_MAX_INT) { + cx->err = PEZ_ETooBig; return NULL; } + arr = newobj(cx, PEZ_TArray, sizeof *arr); + if (!arr) + return NULL; if (cap) { if (!push(cx, box_obj(arr))) { // gc keep cxfree(cx, arr, sizeof *arr); @@ -785,6 +795,10 @@ arrpushn(PezContext *cx, Array *arr, Val *src, uint n) if (cx->gccanrun && (cx->dbg & DBGstressgc)) { gc(cx); } + if (arr->len + n > FX_MAX_INT) { + cx->err = PEZ_ETooBig; + return 0; + } if (arr->len + n - 1 >= arr->cap) { uint newcap = (arr->len + n - 1) * 2; Val *new; @@ -4455,6 +4469,7 @@ pez_geterr(PezContext *cx) case PEZ_ENoMem: return "out of memory"; case PEZ_ESyntax: return cx->errstr; case PEZ_ERuntime: return cx->errstr; + case PEZ_ETooBig: return "object too big"; } return NULL; } diff --git a/pez.h b/pez.h index 62946d2..b27ff4f 100644 --- a/pez.h +++ b/pez.h @@ -28,6 +28,7 @@ typedef enum PezError { PEZ_ENoMem, PEZ_ESyntax, PEZ_ERuntime, + PEZ_ETooBig, } PezError; typedef struct PezContext PezContext; -- cgit v1.2.3