From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <binutils-return-45683-listarch-binutils=sources.redhat.com@sourceware.org>
Received: (qmail 31577 invoked by alias); 1 May 2006 18:40:16 -0000
Received: (qmail 31569 invoked by uid 22791); 1 May 2006 18:40:16 -0000
X-Spam-Check-By: sourceware.org
Received: from smtp105.sbc.mail.mud.yahoo.com (HELO smtp105.sbc.mail.mud.yahoo.com) (68.142.198.204)     by sourceware.org (qpsmtpd/0.31) with SMTP; Mon, 01 May 2006 18:40:12 +0000
Received: (qmail 29529 invoked from network); 1 May 2006 18:40:10 -0000
Received: from unknown (HELO lucon.org) (hjjean@sbcglobal.net@75.0.171.244 with login)   by smtp105.sbc.mail.mud.yahoo.com with SMTP; 1 May 2006 18:40:09 -0000
Received: by lucon.org (Postfix, from userid 1000) 	id AF6A564034; Mon,  1 May 2006 11:40:06 -0700 (PDT)
Date: Mon, 01 May 2006 18:40:00 -0000
From: "H. J. Lu" <hjl@lucon.org>
To: binutils@sources.redhat.com
Subject: PATCH: Fix buffer overflow in gas
Message-ID: <20060501184006.GA2583@lucon.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Mailing-List: contact binutils-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:binutils-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: binutils-owner@sourceware.org
X-SW-Source: 2006-05/txt/msg00009.txt.bz2

There are some potential buffer overflows in gas. 8byte isn't enough
to hold a negative byte. This patch fixes them. Also we should use
snprintf instead of sprintf.


H.J.
---
2006-05-01  H.J. Lu  <hongjiu.lu@intel.com>

	* config/tc-i386.c (output_invalid_buf): Change size to 16.
	* config/tc-tic30.c (output_invalid_buf): Likewise.

	* config/tc-i386.c (output_invalid): Use snprintf instead of
	sprintf.
	* config/tc-ia64.c (declare_register_set): Likewise.
	(emit_one_bundle): Likewise.
	(check_dependencies): Likewise.
	* config/tc-tic30.c (output_invalid): Likewise.

--- gas/config/tc-i386.c.buf	2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-i386.c	2006-05-01 11:13:22.000000000 -0700
@@ -5251,16 +5251,18 @@ md_atof (type, litP, sizeP)
   return 0;
 }
 
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
 
 static char *
 output_invalid (c)
      int c;
 {
   if (ISPRINT (c))
-    sprintf (output_invalid_buf, "'%c'", c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "'%c'", c);
   else
-    sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "(0x%x)", (unsigned) c);
   return output_invalid_buf;
 }
 
--- gas/config/tc-ia64.c.buf	2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-ia64.c	2006-05-01 11:26:49.000000000 -0700
@@ -5634,7 +5634,7 @@ declare_register_set (prefix, num_regs, 
 
   for (i = 0; i < num_regs; ++i)
     {
-      sprintf (name, "%s%u", prefix, i);
+      snprintf (name, sizeof (name), "%s%u", prefix, i);
       declare_register (name, base_regnum + i);
     }
 }
@@ -6971,7 +6971,8 @@ emit_one_bundle ()
 	  else
 	    as_fatal ("emit_one_bundle: unexpected dynamic op");
 
-	  sprintf (mnemonic, "%s.%c", idesc->name, "?imbfxx"[insn_unit]);
+	  snprintf (mnemonic, sizeof (mnemonic), "%s.%c",
+		    idesc->name, "?imbfxx"[insn_unit]);
 	  opnd1 = idesc->operands[0];
 	  opnd2 = idesc->operands[1];
 	  ia64_free_opcode (idesc);
@@ -10544,12 +10545,15 @@ check_dependencies (idesc)
 	      int certain = (matchtype == 1 && CURR_SLOT.qp_regno == 0);
 
 	      if (path != 0)
-		sprintf (pathmsg, " when entry is at label '%s'",
+		snprintf (pathmsg, sizeof (pathmsg),
+			  " when entry is at label '%s'",
 			 md.entry_labels[path - 1]);
 	      if (matchtype == 1 && rs->index >= 0)
-		sprintf (indexmsg, ", specific resource number is %d",
+		snprintf (indexmsg, sizeof (indexmsg),
+			  ", specific resource number is %d",
 			 rs->index);
-	      sprintf (msg, "Use of '%s' %s %s dependency '%s' (%s)%s%s",
+	      snprintf (msg, sizeof (msg),
+			"Use of '%s' %s %s dependency '%s' (%s)%s%s",
 		       idesc->name,
 		       (certain ? "violates" : "may violate"),
 		       dv_mode[dep->mode], dep->name,
--- gas/config/tc-tic30.c.buf	2005-08-15 07:50:53.000000000 -0700
+++ gas/config/tc-tic30.c	2006-05-01 11:13:53.000000000 -0700
@@ -273,15 +273,17 @@ struct tic30_insn
 struct tic30_insn insn;
 static int found_parallel_insn;
 
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
 
 static char *
 output_invalid (char c)
 {
   if (ISPRINT (c))
-    sprintf (output_invalid_buf, "'%c'", c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+	      "'%c'", c);
   else
-    sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+    snprintf (output_invalid_buf, sizeof (output_invalid_buf), 
+	      "(0x%x)", (unsigned) c);
   return output_invalid_buf;
 }