rem overflow

[npocmaka_]

Example (I dont know why But I couldnt put the code here).


the commented line must contain 8198 characters and at least one of them delimited.Then you can add & and some command.

Tested on Win8.1 x 64

The only potential 'usage' I see is for malicious scripts where nobody will expect the last part to be executed.

[penpen]

Strange:
If i replace the space between the '1' and '2' with a 'z' it doesn't echo.


penpen

[mcnd]

Not the first time it bites. Do you think this is related?

More than a rem overflow I think it is a parser buffer overflow. What I see it that the parser will remove the starting rem and the initial delimiter (the first space) so the ampersand falls in the position 8192, the buffer is splitted at this point and the @echo is executed in the next buffer instance

[npocmaka_]

Strange:
If i replace the space between the '1' and '2' with a 'z' it doesn't echo.


penpen

Exactly . There should be at list one delimiter in the remarked line.

Not the first time it bites. Do you think this is related?

More than a rem overflow I think it is a parser buffer overflow. What I see it that the parser will remove the starting rem and the initial delimiter (the first space) so the ampersand falls in the position 8192, the buffer is splitted at this point and the @echo is executed in the next buffer instance

The behavior with the spaces looks very similar.Probably yes....

[jeb]

Nice experiment

I suppose it's caused by the special REM parser, as the rem parser examines the first token (after the rem) to check if it's /? and the next token will be ignored completely.

Sample

Code: Select all

@echo ON
REM Hello^
This line is part of the comment

REM Hello world^
This Line is NOT a comment

But in your case, the REM and the ECHO are executed.

Code: Select all

@echo off
rem /? 7890zz....zzz&ECHO Works

I used 8180 z's here

Leitet Kommentare in einer Batchdatei oder in CONFIG.SYS ein.

REM [Kommentar]
Works

I tried it with labels(:) but can't find any similar behaviour