This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

vax decoding of indexed addressing mode


This patch prevents print_insn_mode recursing into another index mode
byte, which if repeated enough times will overflow private.the_buffer
and scribble over other memory.  Found by our fuzzing friends.

OK?

	* vax-dis.c (print_insn_mode): Stop index mode recursion.

diff --git a/opcodes/vax-dis.c b/opcodes/vax-dis.c
index 3bdfa15192..b095a33c88 100644
--- a/opcodes/vax-dis.c
+++ b/opcodes/vax-dis.c
@@ -240,8 +240,18 @@ print_insn_mode (const char *d,
         (*info->fprintf_func) (info->stream, "$0x%x", mode);
       break;
     case 0x40: /* Index:			base-addr[Rn] */
-      p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
-      (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+      {
+	unsigned char *q = p0 + 1;
+	unsigned char nextmode = NEXTBYTE (q);
+	if (nextmode < 0x60 || nextmode == 0x8f)
+	  /* Literal, index, register, or immediate is invalid.  In
+	     particular don't recurse into another index mode which
+	     might overflow the_buffer.  */
+	  (*info->fprintf_func) (info->stream, "[invalid base]");
+	else
+	  p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
+	(*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+      }
       break;
     case 0x50: /* Register:			Rn */
       (*info->fprintf_func) (info->stream, "%s", reg_names[reg]);

-- 
Alan Modra
Australia Development Lab, IBM


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]