From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LBY4=6Z=gmail.com=amodra@sourceware.org>
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c])
	by sourceware.org (Postfix) with ESMTPS id C799838582A1
	for <binutils@sourceware.org>; Wed,  1 Mar 2023 04:00:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C799838582A1
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-x102c.google.com with SMTP id l1so12037181pjt.2
        for <binutils@sourceware.org>; Tue, 28 Feb 2023 20:00:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1677643238;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=ReEIJ2j689mG2D5/Wdtf5VRAh9l5oVVcVDZ/kmaNFaY=;
        b=M6J9dajCOZc/oxNv3+OU/p/siMCIU3V2g0rEulwPBb3Io7izK+bkqsXTUUbgcrwwKi
         SmLbaBDNEproPrwagAUCsWQ0lOl+3sFR15EbHwYl0m9HdHWhzY9jMeMkgpv3UW2LCWeh
         /eGTfOuYVk+gOrHmHo6ng3n9MdL+OETXujtSPts8voUvnF+hgl2zRzjDeJL3DuHU7LU4
         m8SiwBiMcPLC/9YspbuJOIGi2LdqGxj0b5jDwAvTj8HPnSBitdM0iz1xhqjalhO/emw9
         MiJxcqC4g1liSV6knl4pW1E6WXnm+QfsVWoN/E0JZEBc56KYYxcOU5VcCAU5G5a7FhYK
         s4Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1677643238;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ReEIJ2j689mG2D5/Wdtf5VRAh9l5oVVcVDZ/kmaNFaY=;
        b=iRaEDrfZSSJ+04Zu2txfoF+SS/q4U5psjbODzGIFX8FJkElQ4MM2RtYcsIh0DYfUMi
         fH3rf+nrXF7UhDRBv/NdlqdBCXgb/dSM5u07X0jfC53wMyysoc/4Zs3tPY0KujEf86tB
         YXAPTyD14JVa7R+4I+icy4JKari9IZR5d5IzenG/OETAqM0ZwAzvd2m9kxHkzivDiKBC
         TlpJRx3ky497EYTLAud/7nhNskJQXBy50xILJf4/WL73++df4y6N40/vOr3GIdJY15tc
         8W0z5G/mlE6V1KyK6cv83Qb9dGxYzCf6saBTYI6bMOO5MqXC3jGzTu41hwgxAzMDyAc5
         qluQ==
X-Gm-Message-State: AO0yUKWA6ybROIgBwl3obK9wtdilxWpt5mtPhtyKjcm0iZHRU2XtAM1n
	XKrc90SP0Jbz3sT894fQRy8oXzk+im0=
X-Google-Smtp-Source: AK7set+tKOxdeh7uOWh1HrRw0n7jMJ12Vbs1aTqOYCjMVyUOvBWqeTKVXVowRct7QYEpqFHb2gDelw==
X-Received: by 2002:a17:902:e806:b0:19a:9897:461 with SMTP id u6-20020a170902e80600b0019a98970461mr5942189plg.52.1677643238541;
        Tue, 28 Feb 2023 20:00:38 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id 3-20020a170902c10300b00186b69157ecsm7248784pli.202.2023.02.28.20.00.37
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Feb 2023 20:00:38 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 2C71B1142D9B; Wed,  1 Mar 2023 14:30:36 +1030 (ACDT)
Date: Wed, 1 Mar 2023 14:30:36 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Catch overflow in gas s_space
Message-ID: <Y/7N5GnBecgnIXQx@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3035.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

Also fix an error introduced in 1998 in reporting a zero count for
negative counts.

      * read.c (s_space): Use unsigned multiply, and catch overflow.
      Correct order of tests for invalid repeat counts.  Ensure
      ignored directives don't affect mri_pending_align.

diff --git a/gas/read.c b/gas/read.c
index 5d83d35e0aa..cff44623541 100644
--- a/gas/read.c
+++ b/gas/read.c
@@ -3328,27 +3328,37 @@ s_space (int mult)
 
       if (exp.X_op == O_constant)
 	{
-	  offsetT repeat;
+	  addressT repeat = exp.X_add_number;
+	  addressT total;
 
-	  repeat = exp.X_add_number;
-	  if (mult)
-	    repeat *= mult;
-	  bytes = repeat;
-	  if (repeat <= 0)
+	  bytes = 0;
+	  if ((offsetT) repeat < 0)
+	    {
+	      as_warn (_(".space repeat count is negative, ignored"));
+	      goto getout;
+	    }
+	  if (repeat == 0)
 	    {
 	      if (!flag_mri)
 		as_warn (_(".space repeat count is zero, ignored"));
-	      else if (repeat < 0)
-		as_warn (_(".space repeat count is negative, ignored"));
 	      goto getout;
 	    }
+	  if ((unsigned int) mult <= 1)
+	    total = repeat;
+	  else if (gas_mul_overflow (repeat, mult, &total)
+		   || (offsetT) total < 0)
+	    {
+	      as_warn (_(".space repeat count overflow, ignored"));
+	      goto getout;
+	    }
+	  bytes = total;
 
 	  /* If we are in the absolute section, just bump the offset.  */
 	  if (now_seg == absolute_section)
 	    {
 	      if (val.X_op != O_constant || val.X_add_number != 0)
 		as_warn (_("ignoring fill value in absolute section"));
-	      abs_section_offset += repeat;
+	      abs_section_offset += total;
 	      goto getout;
 	    }
 
@@ -3358,13 +3368,13 @@ s_space (int mult)
 	  if (mri_common_symbol != NULL)
 	    {
 	      S_SET_VALUE (mri_common_symbol,
-			   S_GET_VALUE (mri_common_symbol) + repeat);
+			   S_GET_VALUE (mri_common_symbol) + total);
 	      goto getout;
 	    }
 
 	  if (!need_pass_2)
 	    p = frag_var (rs_fill, 1, 1, (relax_substateT) 0, (symbolS *) 0,
-			  (offsetT) repeat, (char *) 0);
+			  (offsetT) total, (char *) 0);
 	}
       else
 	{

-- 
Alan Modra
Australia Development Lab, IBM