shithub: rgbds

Fix out of bounds array access on invalid macro arg references A reference to an invalid macro argument (\ not followed by a digit between 1 and 9) will cause an access outside of the bounds of the currentmacroargs array in sym_FindMacroArg(). Macro arg references are processed in two places: In CopyMacroArg(): called when scanning tokens between "", {} and arguments of a macro call. The only problem here is that it accepts \0 as valid and so calls sym_FindMacroArg with a invalid value. In PutMacroArg(): called by the lexer automata when it encounters a token matching \\[0-9]? (in other cases than above). So not only it accepts \0 but also \ alone. Memo: In setuplex(), a rule is defined with a regex composed of up to three ranges of chars and takes the form: [FirstRange] or [FirstRange][SecondRange]? or [FirstRange]([SecondRange][Range]*)? On scanning, when several rules match, the first longuest one is choosen. Regression test: 1) SECTION "HOME", HOME db "\0" 2) SECTION "HOME", HOME db \A 3) SECTION "HOME", HOME db \

--- a/src/asm/globlex.c

+++ b/src/asm/globlex.c

@@ -208,10 +208,14 @@

 	char *s;

 	yyskipbytes(size);

-	if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) {

-		yyunputstr(s);

+	if ((size == 2 && src[1] >= '1' && src[1] <= '9')) {

+		if ((s = sym_FindMacroArg(src[1] - '0')) != NULL) {

+			yyunputstr(s);

+		} else {

+			yyerror("Macro argument not defined");

+		}

 	} else {

-		yyerror("Macro argument not defined");

+		yyerror("Invalid macro argument");

 	return (0);

@@ -387,7 +391,7 @@

 	    id = lex_FloatAlloc(&tMacroArgToken);

 	lex_FloatAddFirstRange(id, '\\', '\\');

-	lex_FloatAddSecondRange(id, '0', '9');

+	lex_FloatAddSecondRange(id, '1', '9');

 	id = lex_FloatAlloc(&tMacroUniqueToken);

 	lex_FloatAddFirstRange(id, '\\', '\\');

 	lex_FloatAddSecondRange(id, '@', '@');

--- a/src/asm/lexer.c

+++ b/src/asm/lexer.c

@@ -437,7 +437,6 @@

 	int argNum;

 	switch (c) {

-	case '0':

 	case '1':

 	case '2':

 	case '3':

--

⑨