luke
/
iverilog
mirror of https://github.com/steveicarus/iverilog.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

vvp: Bound VPI label scanset parsing 

The VPI label resolver parses word and string labels into a 32 byte
temporary buffer. The scansets used by sscanf() did not specify a width,
so malformed labels could write past the end of the buffer.

Limit the scansets to the size of the buffer.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
This commit is contained in:
Lars-Peter Clausen 2026-06-19 21:43:33 -07:00
parent d5a16b31a1
commit 593a97bede
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
vvp/compile.cc
View File

@ -594,7 +594,7 @@ bool vpi_handle_resolv_list_s::resolve(bool mes)
unsigned base, wid;
size_t n = 0;
char ss[32];
if (2 == sscanf(label(), "W<%u,%[r]>%zn", &base, ss, &n)
if (2 == sscanf(label(), "W<%u,%31[r]>%zn", &base, ss, &n)
&& n == strlen(label())) {
val.ptr = vpip_make_vthr_word(base, ss);
@ -606,7 +606,7 @@ bool vpi_handle_resolv_list_s::resolve(bool mes)
val.ptr = vpip_make_vthr_str_stack(base);
sym_set_value(sym_vpi, label(), val);
} else if (3 == sscanf(label(), "S<%u,vec4,%[su]%u>%zn", &base, ss, &wid, &n)
} else if (3 == sscanf(label(), "S<%u,vec4,%31[su]%u>%zn", &base, ss, &wid, &n)
&& n == strlen(label())) {
bool signed_flag = false;