Crash caused by missing lvalue initializer / Exploitable buffer overruns

[EtchedPixels]

If primary generates an error it generates an immediate 0, but does not set lval->symbol and lval->indirect to 0, which causes a memory scribble and can crash.

Also symname should only copy NAMEMAX bytes then discard the remainder

And fix_include_name() should use strncat/strlcat

The top one is an annoying bug, the others are more of an amusement but do mean I can feed scc8080 source code that forks a shell and executes arbitrary code!

[ncb85]

Thanks!

1. primary - you probably mean line 98. should be like this
   lval->symbol = 0;
2. symname - OK will commit it
3. fix_inc.. - not so sure, strlcat is non standard, strncat is for fixed width strings if I am correct

[EtchedPixels]

Depends what you have to hand I guess

I've found a couple of other blind copies to symbol->name as well since then

Getting a somewhat modified version of it (ANSIfied to find all the type mismatches etc) up and running on Fuzix as a native small compiler. Been adding Z80 and other bits to it - much fun.

I changed the end of primary to the following to fix the crashes

lval->symbol = 0;
lval->indirect = 0;
if (constant(num))
    return 0;
else {
    error("invalid expression");
    gen_immediate();
    output_number(0);
    newline();
    junk();
    return 0;
}

}