This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: [PATCH] gas: config: Fix memory overflow issue about strncat()
- From: Chen Gang <gang dot chen dot 5i5j at gmail dot com>
- To: binutils at sourceware dot org
- Date: Mon, 13 Oct 2014 23:20:31 +0800
- Subject: Re: [PATCH] gas: config: Fix memory overflow issue about strncat()
- Authentication-results: sourceware.org; auth=none
- References: <543BEA51 dot 2040504 at gmail dot com>
And for me, in another area within md_assemble(), I worry about the
strncpy(): may not let 'insn->name' must be zero terminated.
"strncpy (insn->name, str, TIC4X_NAME_MAX - 3);"
But I don't know why 'TIC4X_NAME_MAX - 3', so I only worry about it, but
do not know whether it is an issue or not.
Welcome any ideas for it (if necessary, can help send patch for it).
Thanks.
On 10/13/14 23:05, Chen Gang wrote:
> strncat() will append additional '\0' to destination memory, so need
> additional 1 byte for it, or may cause memory overflow.
>
> 2014-10-14 Chen Gang <gang.chen.5i5j@gmail.com>
>
> * config/tc-tic4x.c (md_assemble): Fix memory overflow issue
> about strncat().
> ---
> gas/config/tc-tic4x.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/gas/config/tc-tic4x.c b/gas/config/tc-tic4x.c
> index 904a68c..193abbb 100644
> --- a/gas/config/tc-tic4x.c
> +++ b/gas/config/tc-tic4x.c
> @@ -2456,7 +2456,7 @@ md_assemble (char *str)
> if (*s) /* Null terminate for hash_find. */
> *s++ = '\0'; /* and skip past null. */
> strcat (insn->name, "_");
> - strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name));
> + strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name) - 1);
>
> insn->operands[insn->num_operands++].mode = M_PARALLEL;
>
>
--
Chen Gang
Open, share, and attitude like air, water, and life which God blessed