Summary: | macro.c get_any_string should check bounds in the while-loop | ||
---|---|---|---|
Product: | binutils | Reporter: | wuheng <wu.heng> |
Component: | gas | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc, wu.heng |
Priority: | P2 | ||
Version: | 2.32 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | The fault sample |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc commit 1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc Author: Wu Heng <wu.heng@zte.com.cn> Date: Fri Jan 4 16:18:59 2019 +0000 Fix potential buffer overrun whilst scanning macro strings. PR 24010 * macro.c (get_any_string): Check for end of input whilst scanning for separators. Hi Wu Heng, Thanks (again) for the bug report and patch. I have applied the patch along with a new ChangeLog entry. Cheers Nick (In reply to Nick Clifton from comment #2) > Hi Wu Heng, > > Thanks (again) for the bug report and patch. > > I have applied the patch along with a new ChangeLog entry. > > Cheers > Nick Thanks (again) for verifying and merging this patch. |
Created attachment 11476 [details] The fault sample In the loop below, we do not think about the length of "idx > in->PTR", as the in->PTR may not end in separator. We should add a judgment of "idx < in->len". while (!ISSEP (in->ptr[idx])) sb_add_char (out, in->ptr[idx++]); here is the patch diff --git a/gas/macro.c b/gas/macro.c index 6c0e554..9b542e8 100644 --- a/gas/macro.c +++ b/gas/macro.c @@ -369,7 +369,7 @@ get_any_string (size_t idx, sb *in, sb *out) { if (in->len > idx + 2 && in->ptr[idx + 1] == '\'' && ISBASE (in->ptr[idx])) { - while (!ISSEP (in->ptr[idx])) + while (idx < in->len && !ISSEP (in->ptr[idx])) sb_add_char (out, in->ptr[idx++]); } else if (in->ptr[idx] == '%' && macro_alternate)