Commit 0126cbd
committed
fix: out-of-bounds read in NumericUnkMaker::checkPeriod for trailing digit+period
`checkPeriod` bounded the lookahead with `pos + 1 < codepoints.size()`, but
the index it actually read was `posPeriod + 1 = start + pos + 1`. On the
second pass of `spawnNodes` (start > 0) the two diverge, so inputs like
`10.` or `ほげ4.` read one past the end of the codepoint vector and
caused the crash reported in #157.
Bound the lookahead against the absolute index instead. Dropped the now-dead
`pos + 1` check so the condition reflects what is actually being guarded.
Added regression tests for `10.` and `ほげ4.`; both abort on the prior
code under libstdc++ debug mode / ASan.
Closes #157.1 parent c2b8b59 commit 0126cbd
File tree
2 files changed
+22
-1
lines changed- src/core/analysis
2 files changed
+22
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
245 | 245 | | |
246 | 246 | | |
247 | 247 | | |
248 | | - | |
| 248 | + | |
249 | 249 | | |
250 | 250 | | |
251 | 251 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
243 | 243 | | |
244 | 244 | | |
245 | 245 | | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
246 | 267 | | |
247 | 268 | | |
248 | 269 | | |
| |||
0 commit comments