From 44fab4c678c6fc1cba3511923c0a4e0a2d2e0f79 Mon Sep 17 00:00:00 2001 From: omicron Date: Tue, 1 Apr 2025 23:36:08 +0200 Subject: [PATCH] Fix incorrect size comparison in lexer_consume_n The buffer length len and the requested number of tokens n are mixed up in an invalid comparison. This causes all valid requests for n < len tokens to be denied and all invalid requests for n > len tokens to be accepted. This may cause a buffer overflow if the caller requests more characters than they provide space for. --- src/lexer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lexer.c b/src/lexer.c index 08a96bd..27aef0c 100644 --- a/src/lexer.c +++ b/src/lexer.c @@ -183,7 +183,7 @@ error_t *lexer_consume_n(lexer_t *lex, const size_t len, char buffer[static len], const size_t n) { if (lex->buffer_count < n) return err_buffer_underrun; - if (len > n) + if (n > len) return err_consume_excessive_length; memcpy(buffer, lex->buffer, n);