Bug 24010 - macro.c get_any_string should check bounds in the while-loop
Summary: macro.c get_any_string should check bounds in the while-loop
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gas (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-20 03:21 UTC by wuheng
Modified: 2019-01-05 06:43 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
The fault sample (65 bytes, text/plain)
2018-12-20 03:21 UTC, wuheng
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wuheng 2018-12-20 03:21:10 UTC
Created attachment 11476 [details]
The fault sample

In the loop below, we do not think about the length of "idx > in->PTR", as the in->PTR may not end in separator. We should add a judgment of "idx < in->len".
   while (!ISSEP (in->ptr[idx]))
     sb_add_char (out, in->ptr[idx++]);


here is the patch

diff --git a/gas/macro.c b/gas/macro.c
index 6c0e554..9b542e8 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -369,7 +369,7 @@ get_any_string (size_t idx, sb *in, sb *out)
     {
       if (in->len > idx + 2 && in->ptr[idx + 1] == '\'' && ISBASE (in->ptr[idx]))
        {
-         while (!ISSEP (in->ptr[idx]))
+         while (idx < in->len && !ISSEP (in->ptr[idx]))
            sb_add_char (out, in->ptr[idx++]);
        }
       else if (in->ptr[idx] == '%' && macro_alternate)
Comment 1 cvs-commit@gcc.gnu.org 2019-01-04 16:20:23 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc

commit 1b2ed39c3a7ee2870f3d16a510d31e8d5916afbc
Author: Wu Heng <wu.heng@zte.com.cn>
Date:   Fri Jan 4 16:18:59 2019 +0000

    Fix potential buffer overrun whilst scanning macro strings.
    
    	PR 24010
    	* macro.c (get_any_string): Check for end of input whilst scanning
    	for separators.
Comment 2 Nick Clifton 2019-01-04 16:22:06 UTC
Hi Wu Heng,

  Thanks (again) for the bug report and patch.

  I have applied the patch along with a new ChangeLog entry.

Cheers
  Nick
Comment 3 wuheng 2019-01-05 06:43:48 UTC
(In reply to Nick Clifton from comment #2)
> Hi Wu Heng,
> 
>   Thanks (again) for the bug report and patch.
> 
>   I have applied the patch along with a new ChangeLog entry.
> 
> Cheers
>   Nick

Thanks (again) for verifying and merging this patch.