From: Francis Dupont <fdupont@isc.org>
Date: Fri, 13 Nov 2015 15:16:23 +0000 (+0100)
Subject: [4088fd] Added protection against integer overflow
X-Git-Tag: trac4088fd_before_unquote
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2021d663a7a01820f3cd960161d35ff8797fb6e;p=thirdparty%2Fkea.git

[4088fd] Added protection against integer overflow
---

diff --git a/src/lib/eval/lexer.cc b/src/lib/eval/lexer.cc
index 77087e80c0..ba342c19ad 100644
--- a/src/lib/eval/lexer.cc
+++ b/src/lib/eval/lexer.cc
@@ -589,8 +589,8 @@ int yy_flex_debug = 1;
 
 static yyconst flex_int16_t yy_rule_linenum[17] =
     {   0,
-       83,   87,   93,  101,  107,  117,  123,  137,  138,  139,
-      140,  141,  142,  143,  144,  146
+       83,   87,   93,  108,  114,  124,  130,  144,  145,  146,
+      147,  148,  149,  150,  151,  153
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -1052,12 +1052,19 @@ YY_RULE_SETUP
     std::string tmp(yytext+1);
     tmp.resize(tmp.size() - 1);
 
+    try {
+        static_cast<void>(boost::lexical_cast<int>(tmp));
+    } catch (const boost::bad_lexical_cast &) {
+        // In fact it is not a valid number
+        return isc::eval::EvalParser::make_STRING(tmp, loc);
+    }
+
     return isc::eval::EvalParser::make_NUMBER(tmp, loc);
 }
 	YY_BREAK
 case 4:
 YY_RULE_SETUP
-#line 101 "lexer.ll"
+#line 108 "lexer.ll"
 {
      // A string containing the "all" keyword.
 
@@ -1066,7 +1073,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 107 "lexer.ll"
+#line 114 "lexer.ll"
 {
     // A string has been matched. It contains the actual string and single quotes.
     // We need to get those quotes out of the way and just use its content, e.g.
@@ -1079,7 +1086,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 117 "lexer.ll"
+#line 124 "lexer.ll"
 {
     // A hex string has been matched. It contains the '0x' or '0X' header
     // followed by at least one hexadecimal digit.
@@ -1088,7 +1095,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 123 "lexer.ll"
+#line 130 "lexer.ll"
 {
     // An integer was found.
     std::string tmp(yytext);
@@ -1105,59 +1112,59 @@ YY_RULE_SETUP
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 137 "lexer.ll"
+#line 144 "lexer.ll"
 return isc::eval::EvalParser::make_EQUAL(loc);
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 138 "lexer.ll"
+#line 145 "lexer.ll"
 return isc::eval::EvalParser::make_OPTION(loc);
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 139 "lexer.ll"
+#line 146 "lexer.ll"
 return isc::eval::EvalParser::make_SUBSTRING(loc);
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 140 "lexer.ll"
+#line 147 "lexer.ll"
 return isc::eval::EvalParser::make_LPAREN(loc);
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 141 "lexer.ll"
+#line 148 "lexer.ll"
 return isc::eval::EvalParser::make_RPAREN(loc);
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 142 "lexer.ll"
+#line 149 "lexer.ll"
 return isc::eval::EvalParser::make_LBRACKET(loc);
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 143 "lexer.ll"
+#line 150 "lexer.ll"
 return isc::eval::EvalParser::make_RBRACKET(loc);
 	YY_BREAK
 case 15:
 YY_RULE_SETUP
-#line 144 "lexer.ll"
+#line 151 "lexer.ll"
 return isc::eval::EvalParser::make_COMA(loc);
 	YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 146 "lexer.ll"
+#line 153 "lexer.ll"
 driver.error (loc, "Invalid character: " + std::string(yytext));
 	YY_BREAK
 case YY_STATE_EOF(INITIAL):
-#line 147 "lexer.ll"
+#line 154 "lexer.ll"
 return isc::eval::EvalParser::make_END(loc);
 	YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 148 "lexer.ll"
+#line 155 "lexer.ll"
 ECHO;
 	YY_BREAK
-#line 1161 "lexer.cc"
+#line 1168 "lexer.cc"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -2245,7 +2252,7 @@ void yyfree (void * ptr )
 
 /* %ok-for-header */
 
-#line 148 "lexer.ll"
+#line 155 "lexer.ll"
 
 
 
diff --git a/src/lib/eval/lexer.ll b/src/lib/eval/lexer.ll
index 68f258d406..d36c81268b 100644
--- a/src/lib/eval/lexer.ll
+++ b/src/lib/eval/lexer.ll
@@ -95,6 +95,13 @@ blank [ \t]
     std::string tmp(yytext+1);
     tmp.resize(tmp.size() - 1);
 
+    try {
+        static_cast<void>(boost::lexical_cast<int>(tmp));
+    } catch (const boost::bad_lexical_cast &) {
+        // In fact it is not a valid number
+        return isc::eval::EvalParser::make_STRING(tmp, loc);
+    }
+
     return isc::eval::EvalParser::make_NUMBER(tmp, loc);
 }
 
diff --git a/src/lib/eval/tests/context_unittest.cc b/src/lib/eval/tests/context_unittest.cc
index 366a677073..cd2c9a6629 100644
--- a/src/lib/eval/tests/context_unittest.cc
+++ b/src/lib/eval/tests/context_unittest.cc
@@ -252,7 +252,13 @@ TEST_F(EvalContextTest, scanParseErrors) {
     checkError("option[65536]",
                "<string>:1.8-12: Option code has invalid "
                "value in 65536. Allowed range: 0..65535");
+    checkError("option[12345678901234567890]",
+               "<string>:1.8-27: Failed to convert 12345678901234567890 "
+               "to an integer.");
     checkError("option[123] < 'foo'", "<string>:1.13: Invalid character: <");
+    checkError("substring('foo','12345678901234567890','1')",
+               "<string>:1.17-38: syntax error, unexpected constant string, "
+               "expecting a number in a constant string");
 }
 
 // Tests some parser error cases