This probably fixes a buffer overrun reported by Honza.
Bootstrapped and tested on x86_64-unknown-linux-gnu, applied. Richard. 2019-11-29 Richard Biener <rguent...@suse.de> * tree-ssa-sccvn.c (vn_walk_cb_data::push_partial_def): Bail out early for too large objects. Index: gcc/tree-ssa-sccvn.c =================================================================== --- gcc/tree-ssa-sccvn.c (revision 278832) +++ gcc/tree-ssa-sccvn.c (working copy) @@ -1753,6 +1753,12 @@ void * vn_walk_cb_data::push_partial_def (const pd_data &pd, tree vuse, HOST_WIDE_INT maxsizei) { + const HOST_WIDE_INT bufsize = 64; + /* We're using a fixed buffer for encoding so fail early if the object + we want to interpret is bigger. */ + if (maxsizei > bufsize * BITS_PER_UNIT) + return (void *)-1; + if (partial_defs.is_empty ()) { partial_defs.safe_push (pd); @@ -1823,16 +1829,17 @@ vn_walk_cb_data::push_partial_def (const /* Now simply native encode all partial defs in reverse order. */ unsigned ndefs = partial_defs.length (); /* We support up to 512-bit values (for V8DFmode). */ - unsigned char buffer[64]; + unsigned char buffer[bufsize]; int len; while (!partial_defs.is_empty ()) { pd_data pd = partial_defs.pop (); + gcc_checking_assert (pd.offset < bufsize); if (TREE_CODE (pd.rhs) == CONSTRUCTOR) /* Empty CONSTRUCTOR. */ memset (buffer + MAX (0, pd.offset), - 0, MIN ((HOST_WIDE_INT)sizeof (buffer) - MAX (0, pd.offset), + 0, MIN (bufsize - MAX (0, pd.offset), pd.size + MIN (0, pd.offset))); else { @@ -1847,7 +1854,7 @@ vn_walk_cb_data::push_partial_def (const pad = GET_MODE_SIZE (mode) - pd.size; } len = native_encode_expr (pd.rhs, buffer + MAX (0, pd.offset), - sizeof (buffer) - MAX (0, pd.offset), + bufsize - MAX (0, pd.offset), MAX (0, -pd.offset) + pad); if (len <= 0 || len < (pd.size - MAX (0, -pd.offset))) {