This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] gas: config: Fix memory overflow issue about strncat()


And for me, in another area within md_assemble(), I worry about the
strncpy(): may not let 'insn->name' must be zero terminated.

  "strncpy (insn->name, str, TIC4X_NAME_MAX - 3);"

But I don't know why 'TIC4X_NAME_MAX - 3', so I only worry about it, but
do not know whether it is an issue or not.

Welcome any ideas for it (if necessary, can help send patch for it).

Thanks.

On 10/13/14 23:05, Chen Gang wrote:
> strncat() will append additional '\0' to destination memory, so need
> additional 1 byte for it, or may cause memory overflow.
> 
> 2014-10-14  Chen Gang  <gang.chen.5i5j@gmail.com>
> 
> 	* config/tc-tic4x.c (md_assemble): Fix memory overflow issue
> 	about strncat().
> ---
>  gas/config/tc-tic4x.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gas/config/tc-tic4x.c b/gas/config/tc-tic4x.c
> index 904a68c..193abbb 100644
> --- a/gas/config/tc-tic4x.c
> +++ b/gas/config/tc-tic4x.c
> @@ -2456,7 +2456,7 @@ md_assemble (char *str)
>        if (*s)			/* Null terminate for hash_find.  */
>  	*s++ = '\0';		/* and skip past null.  */
>        strcat (insn->name, "_");
> -      strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name));
> +      strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name) - 1);
>  
>        insn->operands[insn->num_operands++].mode = M_PARALLEL;
>  
> 
-- 
Chen Gang

Open, share, and attitude like air, water, and life which God blessed


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]