From c8018b54c14f0b549358960906d8b63f60d51ed9 Mon Sep 17 00:00:00 2001
From: Huyou <huyou36@126.com>
Date: Thu, 22 Oct 2020 14:52:42 +0800
Subject: [PATCH] modify vuln3 vuln5

---
 poc/vuln-3.poc  |  4 +---
 poc/vuln-5.poc  |  4 +---
 src/vuln-3/dc.c | 18 ++++++++++--------
 src/vuln-5/dc.c | 17 +++++++++--------
 4 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/poc/vuln-3.poc b/poc/vuln-3.poc
index 9898eb7..eba4958 100644
--- a/poc/vuln-3.poc
+++ b/poc/vuln-3.poc
@@ -1,4 +1,2 @@
 push 5
-store a
-load a
-print
\ No newline at end of file
+store aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/poc/vuln-5.poc b/poc/vuln-5.poc
index 5bd0e4a..eba4958 100644
--- a/poc/vuln-5.poc
+++ b/poc/vuln-5.poc
@@ -1,4 +1,2 @@
 push 5
-store a
-remove a
-list
\ No newline at end of file
+store aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/src/vuln-3/dc.c b/src/vuln-3/dc.c
index 0d9795a..2b3e940 100644
--- a/src/vuln-3/dc.c
+++ b/src/vuln-3/dc.c
@@ -72,7 +72,13 @@ static void node_print(const node_t *p){
 static node_t *node_new(const char *varname, const value_t value){
   node_t *new = malloc(sizeof(node_t));
   assert(new != NULL && "new: malloc failed");
-  new->varname = strdup(varname);
+
+  //new->varname = strdup(varname);
+
+  /*---- vuln-3 ----*/
+  new->varname = (char *)malloc(1014 * sizeof(char));
+  strcpy(new->varname, varname);
+
   assert(new->varname != NULL && "new: strdup varname failed");
   new->value = value;
   new->left = NULL;
@@ -429,10 +435,8 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-
-	/*---- vuln3 ----*/
-  char * toks[2]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,2);
+  char * toks[4]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,4);
     
   if (numToks == 0){
     /* blank line */
@@ -445,9 +449,7 @@ static int execute(void){
       return -1;
     }
     debug_printf("Looking up: %s\n",toks[1]);
-
-	/*---- vuln3 ----*/
-    const node_t *p = lookup(map,toks[2]);
+    const node_t *p = lookup(map,toks[1]);
     if (p != NULL){
       if (stack_full()){
         debug_printf("Trying to load onto full stack\n");
diff --git a/src/vuln-5/dc.c b/src/vuln-5/dc.c
index de84ea6..129aadb 100644
--- a/src/vuln-5/dc.c
+++ b/src/vuln-5/dc.c
@@ -72,7 +72,12 @@ static void node_print(const node_t *p){
 static node_t *node_new(const char *varname, const value_t value){
   node_t *new = malloc(sizeof(node_t));
   assert(new != NULL && "new: malloc failed");
-  new->varname = strdup(varname);
+  //new->varname = strdup(varname);
+
+  /*---- vuln-5 ----*/
+  new->varname = (char *)malloc(1013 * sizeof(char));
+  strcpy(new->varname, varname);
+
   assert(new->varname != NULL && "new: strdup varname failed");
   new->value = value;
   new->left = NULL;
@@ -429,10 +434,8 @@ int save_levelorder(const node_t *p,
 
 /* returns 0 on successful execution of the instruction in inst */
 static int execute(void){
-
-	/*---- vuln5 ----*/
-  char * toks[2]; /* these are pointers to start of different tokens */
-  const unsigned int numToks = tokenise(inst,toks,2);
+  char * toks[4]; /* these are pointers to start of different tokens */
+  const unsigned int numToks = tokenise(inst,toks,4);
     
   if (numToks == 0){
     /* blank line */
@@ -568,9 +571,7 @@ static int execute(void){
       return -1;
     }
     debug_printf("Removing: %s\n",toks[1]);
-
-	/*---- vuln5 ----*/
-    map = rem(map,toks[2]);
+    map = rem(map,toks[1]);
     
   } else if (strcmp(toks[0],INSTRUCTION_SAVE) == 0){
     if (numToks != 2){
-- 
GitLab