From b9d3383a6cf0a6c055159596d0ef7802cce5bb04 Mon Sep 17 00:00:00 2001 From: Gavin Howard Date: Sun, 25 Jul 2021 14:30:58 -0600 Subject: Fix a crash found by AFL++ This crash was caused by trying to do math with an assignment operator on a variable that had a string stored inside. Easy fix. Signed-off-by: Gavin Howard --- src/program.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/program.c b/src/program.c index 9892912f..cb558ee0 100644 --- a/src/program.c +++ b/src/program.c @@ -1289,6 +1289,9 @@ static void bc_program_assign(BcProgram *p, uchar inst) { // If we have a normal assignment operator, not a math one... if (BC_INST_IS_ASSIGN(inst)) { + // Assigning to a variable that has a string here is fine because there + // is no math done on it. + // BC_RESULT_TEMP, BC_RESULT_IBASE, BC_RESULT_OBASE, BC_RESULT_SCALE, // and BC_RESULT_SEED all have temporary copies. Because that's the // case, we can free the left and just move the value over. We set the @@ -1315,6 +1318,11 @@ static void bc_program_assign(BcProgram *p, uchar inst) { // we need to prepare for a binary operator. BcBigDig scale = BC_PROG_SCALE(p); + // At this point, the left side could still be a string because it could + // be a variable that has the string. If that's the case, we have a type + // error. + if (BC_PROG_STR(l)) bc_err(BC_ERR_EXEC_TYPE); + // Get the right type of assignment operator, whether val is used or // NO_VAL for performance. if (!use_val) -- cgit v1.2.3