From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LBY4=6Z=gmail.com=amodra@sourceware.org>
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d])
	by sourceware.org (Postfix) with ESMTPS id 919053858426
	for <binutils@sourceware.org>; Wed,  1 Mar 2023 22:01:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 919053858426
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pg1-x52d.google.com with SMTP id 16so8625212pge.11
        for <binutils@sourceware.org>; Wed, 01 Mar 2023 14:01:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1677708061;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=XtAOVM41vRjwXnpzzc3VXIbUElzLtP0751P3hz25wek=;
        b=lvYB4Fqpwxe7bfeSr+p/Bq1y35QNNI2uNgvJceoeslbpito1aki246T/idrNvfzl4t
         NGsPd0N2fUWK48JgqDJYVRRA51v5xBVsyctolWVLetMBiB2wzpSdZRpEfDfRV9gecnjK
         srlEurAQGSPFud3aP78zsy+v/dNchY5HtZit2G9L/PNcT7ESN8CQOGry01422MmAwIwK
         E2ccJ1CN+Xi0QwhwyEN1wePsY8y3cfdXBWS9jg1ExNTqbKpWxs0gvot+I7A8raoilMl1
         UQgf2N9DAXOrJPA5MHKAeysFQlvrw21ZGtjUiusf9hSvLJKHFxvUjRKfbDjKt1HsLDyt
         FtdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1677708061;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=XtAOVM41vRjwXnpzzc3VXIbUElzLtP0751P3hz25wek=;
        b=UDifYnPICFdVQQ0llPOKmg7DdI+XBxAYEh9SEchIl/QxQcCgcd+ZM1YEVBrMiMVMRm
         IO/n7SfLbVqi6gvAb9ki6ecMht13tmmL9vB4kQPERImyEEBl8sKBQhAAq+aszsczqSCV
         YuNnis6LcmTvKnTsQJNKZbnkyqrT0He0SX6WbePT/Uu51cG9O7oZd862C9XtfwLP5UYz
         MfuwkoXgRatxSNzvUNIOoszQwK1gJlBZ9TeOSK766wVxYA5Vv3w71vzKKZn+D2nT5yzK
         3JvDu6FuL4SfzcLsxzhbdIB/7Hf273plPaXSpcFnowR7vvNgB7mprWM+gOxVejDwQ1Tu
         2ivA==
X-Gm-Message-State: AO0yUKVd08fGTVZykdZz+x13eMo7zEhUIwI+fx9MQgQt1PmLpwr7wxRw
	ZTrHBN8yrtHjusksn74aTJ324NqDrW8=
X-Google-Smtp-Source: AK7set8oAp8ChsEY+AHXTAf1qAXZxnje6YM/w9nDuyM1enp6i80aUZ2sYj5DlDzhJ1fQj2VIvfmXfA==
X-Received: by 2002:a62:5208:0:b0:5dc:6dec:e9d0 with SMTP id g8-20020a625208000000b005dc6dece9d0mr6395548pfb.3.1677708061413;
        Wed, 01 Mar 2023 14:01:01 -0800 (PST)
Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:4d08:cebd:d73f:b794])
        by smtp.gmail.com with ESMTPSA id d7-20020aa78147000000b005ac419804d3sm8319062pfn.186.2023.03.01.14.01.00
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 01 Mar 2023 14:01:01 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id DC0B01142DF8; Thu,  2 Mar 2023 08:30:58 +1030 (ACDT)
Date: Thu, 2 Mar 2023 08:30:58 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: More bounds checking in macro_expand
Message-ID: <Y//LGl4CuJ+YN+i5@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3034.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

	* macro.c (macro_expand): Ensure input string buffer is not
	read past end.

diff --git a/gas/macro.c b/gas/macro.c
index 74a1317cb11..fae94ae42c1 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -1120,7 +1120,7 @@ macro_expand (size_t idx, sb *in, macro_entry *m, sb *out)
 	     then the actual stuff.  */
 	  sb_reset (&t);
 	  idx = get_token (idx, in, &t);
-	  if (in->ptr[idx] != '=')
+	  if (idx >= in->len || in->ptr[idx] != '=')
 	    {
 	      err = _("confusion in formal parameters");
 	      break;
@@ -1184,7 +1184,7 @@ macro_expand (size_t idx, sb *in, macro_entry *m, sb *out)
 
 	  if (f->type != FORMAL_VARARG)
 	    idx = get_any_string (idx, in, &f->actual);
-	  else
+	  else if (idx < in->len)
 	    {
 	      sb_add_buffer (&f->actual, in->ptr + idx, in->len - idx);
 	      idx = in->len;
@@ -1202,9 +1202,9 @@ macro_expand (size_t idx, sb *in, macro_entry *m, sb *out)
 	idx = sb_skip_comma (idx, in);
       else
 	{
-	  if (in->ptr[idx] == ',')
+	  if (idx < in->len && in->ptr[idx] == ',')
 	    ++idx;
-	  if (ISWHITE (in->ptr[idx]))
+	  if (idx < in->len && ISWHITE (in->ptr[idx]))
 	    break;
 	}
     }

-- 
Alan Modra
Australia Development Lab, IBM