https://sourceware.org/bugzilla/show_bug.cgi?id=24010
Bug ID: 24010
Summary: macro.c get_any_string should check bounds in the
while-loop
Product: binutils
Version: 2.32 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gas
Assignee: unassigned at sourceware dot org
Reporter: wu.heng at zte dot com.cn
Target Milestone: ---
Created attachment 11476
--> https://sourceware.org/bugzilla/attachment.cgi?id=11476&action=edit
The fault sample
In the loop below, we do not think about the length of "idx > in->PTR", as the
in->PTR may not end in separator. We should add a judgment of "idx < in->len".
while (!ISSEP (in->ptr[idx]))
sb_add_char (out, in->ptr[idx++]);
here is the patch
diff --git a/gas/macro.c b/gas/macro.c
index 6c0e554..9b542e8 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -369,7 +369,7 @@ get_any_string (size_t idx, sb *in, sb *out)
{
if (in->len > idx + 2 && in->ptr[idx + 1] == '\'' && ISBASE
(in->ptr[idx]))
{
- while (!ISSEP (in->ptr[idx]))
+ while (idx < in->len && !ISSEP (in->ptr[idx]))
sb_add_char (out, in->ptr[idx++]);
}
else if (in->ptr[idx] == '%' && macro_alternate)
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
