Bug 24010

Summary: macro.c get_any_string should check bounds in the while-loop
Product: binutils Reporter: wuheng <wu.heng>
Component: gasAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc, wu.heng
Priority: P2    
Version: 2.32   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: The fault sample

Description wuheng 2018-12-20 03:21:10 UTC
Created attachment 11476 [details]
The fault sample

In the loop below, we do not think about the length of "idx > in->PTR", as the in->PTR may not end in separator. We should add a judgment of "idx < in->len".
   while (!ISSEP (in->ptr[idx]))
     sb_add_char (out, in->ptr[idx++]);


here is the patch

diff --git a/gas/macro.c b/gas/macro.c
index 6c0e554..9b542e8 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -369,7 +369,7 @@ get_any_string (size_t idx, sb *in, sb *out)
     {
       if (in->len > idx + 2 && in->ptr[idx + 1] == '\'' && ISBASE (in->ptr[idx]))
        {
-         while (!ISSEP (in->ptr[idx]))
+         while (idx < in->len && !ISSEP (in->ptr[idx]))
            sb_add_char (out, in->ptr[idx++]);
        }
       else if (in->ptr[idx] == '%' && macro_alternate)
Comment 1 Sourceware Commits 2019-01-04 16:20:23 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc

commit 1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc
Author: Wu Heng <wu.heng@zte.com.cn>
Date:   Fri Jan 4 16:18:59 2019 +0000

    Fix potential buffer overrun whilst scanning macro strings.
    
    	PR 24010
    	* macro.c (get_any_string): Check for end of input whilst scanning
    	for separators.
Comment 2 Nick Clifton 2019-01-04 16:22:06 UTC
Hi Wu Heng,

  Thanks (again) for the bug report and patch.

  I have applied the patch along with a new ChangeLog entry.

Cheers
  Nick
Comment 3 wuheng 2019-01-05 06:43:48 UTC
(In reply to Nick Clifton from comment #2)
> Hi Wu Heng,
> 
>   Thanks (again) for the bug report and patch.
> 
>   I have applied the patch along with a new ChangeLog entry.
> 
> Cheers
>   Nick

Thanks (again) for verifying and merging this patch.