From: "H. J. Lu" <hjl@lucon.org>
To: binutils@sources.redhat.com
Subject: PATCH: Fix buffer overflow in gas
Date: Mon, 01 May 2006 18:40:00 -0000 [thread overview]
Message-ID: <20060501184006.GA2583@lucon.org> (raw)
There are some potential buffer overflows in gas. 8byte isn't enough
to hold a negative byte. This patch fixes them. Also we should use
snprintf instead of sprintf.
H.J.
---
2006-05-01 H.J. Lu <hongjiu.lu@intel.com>
* config/tc-i386.c (output_invalid_buf): Change size to 16.
* config/tc-tic30.c (output_invalid_buf): Likewise.
* config/tc-i386.c (output_invalid): Use snprintf instead of
sprintf.
* config/tc-ia64.c (declare_register_set): Likewise.
(emit_one_bundle): Likewise.
(check_dependencies): Likewise.
* config/tc-tic30.c (output_invalid): Likewise.
--- gas/config/tc-i386.c.buf 2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-i386.c 2006-05-01 11:13:22.000000000 -0700
@@ -5251,16 +5251,18 @@ md_atof (type, litP, sizeP)
return 0;
}
\f
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
static char *
output_invalid (c)
int c;
{
if (ISPRINT (c))
- sprintf (output_invalid_buf, "'%c'", c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "'%c'", c);
else
- sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "(0x%x)", (unsigned) c);
return output_invalid_buf;
}
--- gas/config/tc-ia64.c.buf 2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-ia64.c 2006-05-01 11:26:49.000000000 -0700
@@ -5634,7 +5634,7 @@ declare_register_set (prefix, num_regs,
for (i = 0; i < num_regs; ++i)
{
- sprintf (name, "%s%u", prefix, i);
+ snprintf (name, sizeof (name), "%s%u", prefix, i);
declare_register (name, base_regnum + i);
}
}
@@ -6971,7 +6971,8 @@ emit_one_bundle ()
else
as_fatal ("emit_one_bundle: unexpected dynamic op");
- sprintf (mnemonic, "%s.%c", idesc->name, "?imbfxx"[insn_unit]);
+ snprintf (mnemonic, sizeof (mnemonic), "%s.%c",
+ idesc->name, "?imbfxx"[insn_unit]);
opnd1 = idesc->operands[0];
opnd2 = idesc->operands[1];
ia64_free_opcode (idesc);
@@ -10544,12 +10545,15 @@ check_dependencies (idesc)
int certain = (matchtype == 1 && CURR_SLOT.qp_regno == 0);
if (path != 0)
- sprintf (pathmsg, " when entry is at label '%s'",
+ snprintf (pathmsg, sizeof (pathmsg),
+ " when entry is at label '%s'",
md.entry_labels[path - 1]);
if (matchtype == 1 && rs->index >= 0)
- sprintf (indexmsg, ", specific resource number is %d",
+ snprintf (indexmsg, sizeof (indexmsg),
+ ", specific resource number is %d",
rs->index);
- sprintf (msg, "Use of '%s' %s %s dependency '%s' (%s)%s%s",
+ snprintf (msg, sizeof (msg),
+ "Use of '%s' %s %s dependency '%s' (%s)%s%s",
idesc->name,
(certain ? "violates" : "may violate"),
dv_mode[dep->mode], dep->name,
--- gas/config/tc-tic30.c.buf 2005-08-15 07:50:53.000000000 -0700
+++ gas/config/tc-tic30.c 2006-05-01 11:13:53.000000000 -0700
@@ -273,15 +273,17 @@ struct tic30_insn
struct tic30_insn insn;
static int found_parallel_insn;
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
static char *
output_invalid (char c)
{
if (ISPRINT (c))
- sprintf (output_invalid_buf, "'%c'", c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "'%c'", c);
else
- sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "(0x%x)", (unsigned) c);
return output_invalid_buf;
}
next reply other threads:[~2006-05-01 18:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-01 18:40 H. J. Lu [this message]
2006-05-02 9:48 ` Nick Clifton
2006-05-02 13:31 ` H. J. Lu
2006-05-02 14:20 ` H. J. Lu
2006-05-02 14:35 ` Jan Beulich
2006-05-02 14:58 ` H. J. Lu
2006-05-02 16:53 ` Andreas Schwab
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060501184006.GA2583@lucon.org \
--to=hjl@lucon.org \
--cc=binutils@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).