This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
vax decoding of indexed addressing mode
- From: Alan Modra <amodra at gmail dot com>
- To: Jan-Benedict Glaw <jbglaw at lug-owl dot de>
- Cc: binutils at sourceware dot org
- Date: Fri, 13 Dec 2019 21:17:28 +1030
- Subject: vax decoding of indexed addressing mode
This patch prevents print_insn_mode recursing into another index mode
byte, which if repeated enough times will overflow private.the_buffer
and scribble over other memory. Found by our fuzzing friends.
OK?
* vax-dis.c (print_insn_mode): Stop index mode recursion.
diff --git a/opcodes/vax-dis.c b/opcodes/vax-dis.c
index 3bdfa15192..b095a33c88 100644
--- a/opcodes/vax-dis.c
+++ b/opcodes/vax-dis.c
@@ -240,8 +240,18 @@ print_insn_mode (const char *d,
(*info->fprintf_func) (info->stream, "$0x%x", mode);
break;
case 0x40: /* Index: base-addr[Rn] */
- p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
- (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+ {
+ unsigned char *q = p0 + 1;
+ unsigned char nextmode = NEXTBYTE (q);
+ if (nextmode < 0x60 || nextmode == 0x8f)
+ /* Literal, index, register, or immediate is invalid. In
+ particular don't recurse into another index mode which
+ might overflow the_buffer. */
+ (*info->fprintf_func) (info->stream, "[invalid base]");
+ else
+ p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
+ (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+ }
break;
case 0x50: /* Register: Rn */
(*info->fprintf_func) (info->stream, "%s", reg_names[reg]);
--
Alan Modra
Australia Development Lab, IBM