PATCH: Fix buffer overflow in gas

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: "H. J. Lu" <hjl@lucon.org>
To: binutils@sources.redhat.com
Subject: PATCH: Fix buffer overflow in gas
Date: Mon, 01 May 2006 18:40:00 -0000	[thread overview]
Message-ID: <20060501184006.GA2583@lucon.org> (raw)

There are some potential buffer overflows in gas. 8byte isn't enough
to hold a negative byte. This patch fixes them. Also we should use
snprintf instead of sprintf.


H.J.
---
2006-05-01  H.J. Lu  <hongjiu.lu@intel.com>

	* config/tc-i386.c (output_invalid_buf): Change size to 16.
	* config/tc-tic30.c (output_invalid_buf): Likewise.

	* config/tc-i386.c (output_invalid): Use snprintf instead of
	sprintf.
	* config/tc-ia64.c (declare_register_set): Likewise.
	(emit_one_bundle): Likewise.
	(check_dependencies): Likewise.
	* config/tc-tic30.c (output_invalid): Likewise.

--- gas/config/tc-i386.c.buf	2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-i386.c	2006-05-01 11:13:22.000000000 -0700
@@ -5251,16 +5251,18 @@ md_atof (type, litP, sizeP)
   return 0;
 }
 \f
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
 
 static char *
 output_invalid (c)
      int c;
 {
   if (ISPRINT (c))
-    sprintf (output_invalid_buf, "'%c'", c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "'%c'", c);
   else
-    sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "(0x%x)", (unsigned) c);
   return output_invalid_buf;
 }
 
--- gas/config/tc-ia64.c.buf	2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-ia64.c	2006-05-01 11:26:49.000000000 -0700
@@ -5634,7 +5634,7 @@ declare_register_set (prefix, num_regs, 
 
   for (i = 0; i < num_regs; ++i)
     {
-      sprintf (name, "%s%u", prefix, i);
+      snprintf (name, sizeof (name), "%s%u", prefix, i);
       declare_register (name, base_regnum + i);
     }
 }
@@ -6971,7 +6971,8 @@ emit_one_bundle ()
 	  else
 	    as_fatal ("emit_one_bundle: unexpected dynamic op");
 
-	  sprintf (mnemonic, "%s.%c", idesc->name, "?imbfxx"[insn_unit]);
+	  snprintf (mnemonic, sizeof (mnemonic), "%s.%c",
+		    idesc->name, "?imbfxx"[insn_unit]);
 	  opnd1 = idesc->operands[0];
 	  opnd2 = idesc->operands[1];
 	  ia64_free_opcode (idesc);
@@ -10544,12 +10545,15 @@ check_dependencies (idesc)
 	      int certain = (matchtype == 1 && CURR_SLOT.qp_regno == 0);
 
 	      if (path != 0)
-		sprintf (pathmsg, " when entry is at label '%s'",
+		snprintf (pathmsg, sizeof (pathmsg),
+			  " when entry is at label '%s'",
 			 md.entry_labels[path - 1]);
 	      if (matchtype == 1 && rs->index >= 0)
-		sprintf (indexmsg, ", specific resource number is %d",
+		snprintf (indexmsg, sizeof (indexmsg),
+			  ", specific resource number is %d",
 			 rs->index);
-	      sprintf (msg, "Use of '%s' %s %s dependency '%s' (%s)%s%s",
+	      snprintf (msg, sizeof (msg),
+			"Use of '%s' %s %s dependency '%s' (%s)%s%s",
 		       idesc->name,
 		       (certain ? "violates" : "may violate"),
 		       dv_mode[dep->mode], dep->name,
--- gas/config/tc-tic30.c.buf	2005-08-15 07:50:53.000000000 -0700
+++ gas/config/tc-tic30.c	2006-05-01 11:13:53.000000000 -0700
@@ -273,15 +273,17 @@ struct tic30_insn
 struct tic30_insn insn;
 static int found_parallel_insn;
 
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
 
 static char *
 output_invalid (char c)
 {
   if (ISPRINT (c))
-    sprintf (output_invalid_buf, "'%c'", c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "'%c'", c);
   else
-    sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf), 
+	      "(0x%x)", (unsigned) c);
   return output_invalid_buf;
 }

next             reply	other threads:[~2006-05-01 18:40 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-01 18:40 H. J. Lu [this message]
2006-05-02  9:48 ` Nick Clifton
2006-05-02 13:31   ` H. J. Lu
2006-05-02 14:20     ` H. J. Lu
2006-05-02 14:35       ` Jan Beulich
2006-05-02 14:58         ` H. J. Lu
2006-05-02 16:53           ` Andreas Schwab

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060501184006.GA2583@lucon.org \
    --to=hjl@lucon.org \
    --cc=binutils@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).