* asan: heap buffer overflow in pa_chk_field_selector
@ 2022-03-29 0:58 Alan Modra
2022-03-29 5:59 ` Jan Beulich
0 siblings, 1 reply; 2+ messages in thread
From: Alan Modra @ 2022-03-29 0:58 UTC (permalink / raw)
To: binutils
The buffer overflow showed up running the gas "all macro" test.
* config/tc-hppa.c (pa_chk_field_selector): Don't read past end
of line.
diff --git a/gas/config/tc-hppa.c b/gas/config/tc-hppa.c
index 742d262a5b5..5a4db51b89a 100644
--- a/gas/config/tc-hppa.c
+++ b/gas/config/tc-hppa.c
@@ -2432,24 +2432,37 @@ pa_chk_field_selector (char **str)
int middle, low, high;
int cmp;
char name[4];
+ char *s = *str;
/* Read past any whitespace. */
- /* FIXME: should we read past newlines and formfeeds??? */
- while (**str == ' ' || **str == '\t' || **str == '\n' || **str == '\f')
- *str = *str + 1;
-
- if ((*str)[1] == '\'' || (*str)[1] == '%')
- name[0] = TOLOWER ((*str)[0]),
- name[1] = 0;
- else if ((*str)[2] == '\'' || (*str)[2] == '%')
- name[0] = TOLOWER ((*str)[0]),
- name[1] = TOLOWER ((*str)[1]),
- name[2] = 0;
- else if ((*str)[3] == '\'' || (*str)[3] == '%')
- name[0] = TOLOWER ((*str)[0]),
- name[1] = TOLOWER ((*str)[1]),
- name[2] = TOLOWER ((*str)[2]),
- name[3] = 0;
+ while (*s == ' ' || *s == '\t')
+ s++;
+ *str = s;
+
+ if (is_end_of_line [(unsigned char) s[0]])
+ return e_fsel;
+ else if (s[1] == '\'' || s[1] == '%')
+ {
+ name[0] = TOLOWER (s[0]);
+ name[1] = 0;
+ }
+ else if (is_end_of_line [(unsigned char) s[1]])
+ return e_fsel;
+ else if (s[2] == '\'' || s[2] == '%')
+ {
+ name[0] = TOLOWER (s[0]);
+ name[1] = TOLOWER (s[1]);
+ name[2] = 0;
+ }
+ else if (is_end_of_line [(unsigned char) s[2]])
+ return e_fsel;
+ else if (s[3] == '\'' || s[3] == '%')
+ {
+ name[0] = TOLOWER (s[0]);
+ name[1] = TOLOWER (s[1]);
+ name[2] = TOLOWER (s[2]);
+ name[3] = 0;
+ }
else
return e_fsel;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: asan: heap buffer overflow in pa_chk_field_selector
2022-03-29 0:58 asan: heap buffer overflow in pa_chk_field_selector Alan Modra
@ 2022-03-29 5:59 ` Jan Beulich
0 siblings, 0 replies; 2+ messages in thread
From: Jan Beulich @ 2022-03-29 5:59 UTC (permalink / raw)
To: Alan Modra; +Cc: binutils
On 29.03.2022 02:58, Alan Modra via Binutils wrote:
> The buffer overflow showed up running the gas "all macro" test.
>
> * config/tc-hppa.c (pa_chk_field_selector): Don't read past end
> of line.
Thanks for taking care of this. It was in particular my intent to avoid
checking for end-of-line which first made me hesitant to fix this myself.
But I see you dropped the oddity at the same time, including the FIXME.
Before seeing your fix, I did actually make one using !ISALPHA() instead
of is_end_of_line(), but now I can right away drop that again.
Jan
> --- a/gas/config/tc-hppa.c
> +++ b/gas/config/tc-hppa.c
> @@ -2432,24 +2432,37 @@ pa_chk_field_selector (char **str)
> int middle, low, high;
> int cmp;
> char name[4];
> + char *s = *str;
>
> /* Read past any whitespace. */
> - /* FIXME: should we read past newlines and formfeeds??? */
> - while (**str == ' ' || **str == '\t' || **str == '\n' || **str == '\f')
> - *str = *str + 1;
> -
> - if ((*str)[1] == '\'' || (*str)[1] == '%')
> - name[0] = TOLOWER ((*str)[0]),
> - name[1] = 0;
> - else if ((*str)[2] == '\'' || (*str)[2] == '%')
> - name[0] = TOLOWER ((*str)[0]),
> - name[1] = TOLOWER ((*str)[1]),
> - name[2] = 0;
> - else if ((*str)[3] == '\'' || (*str)[3] == '%')
> - name[0] = TOLOWER ((*str)[0]),
> - name[1] = TOLOWER ((*str)[1]),
> - name[2] = TOLOWER ((*str)[2]),
> - name[3] = 0;
> + while (*s == ' ' || *s == '\t')
> + s++;
> + *str = s;
> +
> + if (is_end_of_line [(unsigned char) s[0]])
> + return e_fsel;
> + else if (s[1] == '\'' || s[1] == '%')
> + {
> + name[0] = TOLOWER (s[0]);
> + name[1] = 0;
> + }
> + else if (is_end_of_line [(unsigned char) s[1]])
> + return e_fsel;
> + else if (s[2] == '\'' || s[2] == '%')
> + {
> + name[0] = TOLOWER (s[0]);
> + name[1] = TOLOWER (s[1]);
> + name[2] = 0;
> + }
> + else if (is_end_of_line [(unsigned char) s[2]])
> + return e_fsel;
> + else if (s[3] == '\'' || s[3] == '%')
> + {
> + name[0] = TOLOWER (s[0]);
> + name[1] = TOLOWER (s[1]);
> + name[2] = TOLOWER (s[2]);
> + name[3] = 0;
> + }
> else
> return e_fsel;
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-29 5:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-29 0:58 asan: heap buffer overflow in pa_chk_field_selector Alan Modra
2022-03-29 5:59 ` Jan Beulich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).