From 2cffeca15881ff7d318fa6390a95a7be2c0795f0 Mon Sep 17 00:00:00 2001 From: David Declerck Date: Fri, 20 Dec 2024 15:34:34 +0100 Subject: [PATCH] Fix out of bounds read --- libcob/move.c | 46 +++++++++++++++++++-------------- tests/testsuite.src/run_misc.at | 20 ++++++++++++++ 2 files changed, 47 insertions(+), 19 deletions(-) diff --git a/libcob/move.c b/libcob/move.c index 1bd73b44..2c4ede5b 100644 --- a/libcob/move.c +++ b/libcob/move.c @@ -1114,7 +1114,7 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) continue; } for (n = p->times_repeated; n > 0; n--) { - unsigned int src_num = COB_D2I (*src); + unsigned int src_num; #ifndef NDEBUG if (dst >= dst_end) { cob_runtime_error ("optimized_move_display_to_edited: overflow in destination field"); @@ -1125,6 +1125,7 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) case '9': suppress_zero = 0; + src_num = COB_D2I (*src); *dst = COB_I2D (src_num); if (src_num != 0) { is_zero = 0; @@ -1134,6 +1135,7 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) break; case 'Z': + src_num = COB_D2I (*src); *dst = COB_I2D (src_num); pad = ' '; if (src_num != 0) { @@ -1148,6 +1150,7 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) break; case '*': + src_num = COB_D2I (*src); *dst = COB_I2D (src_num); have_check_protect = 1; if (src_num != 0) { @@ -1174,25 +1177,27 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) sign_position = dst; dst++; break; - } else if (src_num == 0 && suppress_zero && !have_decimal_point) { - *prev_float_char = ' '; - prev_float_char = dst; - sign_position = dst; - *dst = c; - dst++; - src++; - break; } else { - *dst = COB_I2D (src_num); - if (src_num != 0) { - is_zero = 0; - suppress_zero = 0; + src_num = COB_D2I (*src); + if (src_num == 0 && suppress_zero && !have_decimal_point) { + *prev_float_char = ' '; + prev_float_char = dst; + sign_position = dst; + *dst = c; + dst++; + src++; + break; + } else { + *dst = COB_I2D (src_num); + if (src_num != 0) { + is_zero = 0; + suppress_zero = 0; + } + dst++; + src++; + break; } - dst++; - src++; - break; } - case '.': case ',': if (c == dec_symbol) { @@ -1288,14 +1293,16 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) prev_float_char = dst; dst++; break; - } else if ((src_num == 0) && (suppress_zero) && (!have_decimal_point)) { + } else { + src_num = COB_D2I (*src); + if ((src_num == 0) && (suppress_zero) && (!have_decimal_point)) { *prev_float_char = ' '; prev_float_char = dst; *dst = c; dst++; src++; break; - } else { + } else { *dst = COB_I2D (src_num); if (src_num != 0) { is_zero = 0; @@ -1304,6 +1311,7 @@ optimized_move_display_to_edited (cob_field *f1, cob_field *f2) dst++; src++; break; + } } } } diff --git a/tests/testsuite.src/run_misc.at b/tests/testsuite.src/run_misc.at index 510b25d3..198dcfa2 100644 --- a/tests/testsuite.src/run_misc.at +++ b/tests/testsuite.src/run_misc.at @@ -15132,3 +15132,23 @@ AT_CHECK([COB_PROF_ENABLE=1 COB_PROF_FILE=prof.csv $COBCRUN_DIRECT ./caller], [0 ]) AT_CLEANUP + + +AT_SETUP([MOVE to NUMERIC-EDITED safety]) + +AT_DATA([prog.cob], [ + IDENTIFICATION DIVISION. + PROGRAM-ID. prog. + DATA DIVISION. + WORKING-STORAGE SECTION. + 01 X PIC 9(5) VALUE 0. + 01 Y PIC 9(5)CR. + PROCEDURE DIVISION. + MOVE X TO Y. + STOP RUN. +]) + +AT_CHECK([$COMPILE prog.cob]) +AT_CHECK([$COBCRUN_DIRECT ./prog], [0], [], []) + +AT_CLEANUP