Merge pull request #2484 from mgreter/bugfix/memory-corruption

Fix memory corruption on error in parse_selector_schema
sass · Oct 6, 2017 · 11a9862 · 11a9862
2 parents 0e12964 + a12c47c
commit 11a9862
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/src/ast_def_macros.hpp b/src/ast_def_macros.hpp
@@ -33,7 +33,7 @@ class LocalOption {
 
 #define NESTING_GUARD(name) \
   LocalOption<size_t> cnt_##name(name, name + 1); \
-  if (nestings > MAX_NESTING) throw Exception::NestingLimitError(pstate); \
+  if (name > MAX_NESTING) throw Exception::NestingLimitError(pstate); \
 
 #define ATTACH_OPERATIONS()\
 virtual void perform(Operation<void>* op) { (*op)(this); }\

diff --git a/src/eval.cpp b/src/eval.cpp
@@ -1789,11 +1789,28 @@ namespace Sass {
     Expression_Obj sel = s->contents()->perform(this);
     std::string result_str(sel->to_string(ctx.c_options));
     result_str = unquote(Util::rtrim(result_str));
-    Parser p = Parser::from_c_str(result_str.c_str(), ctx, s->pstate());
+    char* temp_cstr = sass_copy_c_string(result_str.c_str());
+    ctx.strings.push_back(temp_cstr); // attach to context
+    Parser p = Parser::from_c_str(temp_cstr, ctx, s->pstate());
     p.last_media_block = s->media_block();
     // a selector schema may or may not connect to parent?
     bool chroot = s->connect_parent() == false;
     Selector_List_Obj sl = p.parse_selector_list(chroot);
+    auto vec_str_rend = ctx.strings.rend();
+    auto vec_str_rbegin = ctx.strings.rbegin();
+    // remove the first item searching from the back
+    // we cannot assume our item is still the last one
+    // order is not important, so we can optimize this
+    auto it = std::find(vec_str_rbegin, vec_str_rend, temp_cstr);
+    // undefined behavior if not found!
+    if (it != vec_str_rend) {
+      // overwrite with last item
+      *it = ctx.strings.back();
+      // remove last one from vector
+      ctx.strings.pop_back();
+      // free temporary copy
+      free(temp_cstr);
+    }
     flag_is_in_selector_schema.reset();
     return operator()(sl);
   }

diff --git a/src/file.cpp b/src/file.cpp
@@ -415,7 +415,7 @@ namespace Sass {
           file.seekg(0, std::ios::beg);
           file.read(contents, size);
           contents[size+0] = '\0';
-          contents[size+0] = '\0';
+          contents[size+1] = '\0';
           file.close();
         }
       #endif