From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com
 [IPv6:2607:f8b0:4864:20::632])
 by sourceware.org (Postfix) with ESMTPS id 26EDF3857C7B
 for <binutils@sourceware.org>; Wed, 16 Feb 2022 11:31:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 26EDF3857C7B
Received: by mail-pl1-x632.google.com with SMTP id x4so1789076plb.4
 for <binutils@sourceware.org>; Wed, 16 Feb 2022 03:31:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition;
 bh=l6U/3CRDVkwP2S8Ousy7aRERQND0zVyUtTSDJAGT1Xs=;
 b=ttX1jBvRIxuF1eU6MDfRFarTaKhJ7i5qtNvHONZlA1nCkmfnEwRzB2HyJ3LLDMTsnr
 9vP/Jwmo1szO/4uFA/bAgVHesrGrgfn6SFcGkok0mZ7ipaNkxQgzoPQgY3IZg6YxcgtZ
 ZLpf427Hmt8TD8qVn+DE5LizMNDi58YJVLQmq+GW6hcHEqngMMjuK1/vR3MpAIBBrc5K
 Sa7ect4RQJIDAQxm2k0yfgvB487H0uYEq/0hQMsufl5qRwFajHE3bODaFp50DxTFdhQt
 5iJV+HWHsHg036/nW/Mck0EjFcaj+yEI+NU6aybJay2BegjKVlRrVJ6Ch60GiDhQjjEW
 jNKA==
X-Gm-Message-State: AOAM532TWSomizVP7r6/YJ7txd2dx2tKHwuLj4BHX1j57vN2tz6ATxkD
 z7wFyT98RvMhFgDoPDV5v0XRoYQfiGk=
X-Google-Smtp-Source: ABdhPJwkefmU8h6C4iTM7oWIlHA496/ligSwYAsRAf1h1qzMPOYYipm5b0xd87QluZHJEXhRJvnvGg==
X-Received: by 2002:a17:902:eb44:b0:14d:6580:b6ca with SMTP id
 i4-20020a170902eb4400b0014d6580b6camr2470147pli.82.1645011095920; 
 Wed, 16 Feb 2022 03:31:35 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158])
 by smtp.gmail.com with ESMTPSA id x7sm5015513pgr.87.2022.02.16.03.31.34
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 16 Feb 2022 03:31:35 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 8E9B4114145A; Wed, 16 Feb 2022 22:01:32 +1030 (ACDT)
Date: Wed, 16 Feb 2022 22:01:32 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: asan : use of uninitialized value in buffer_and_nest
Message-ID: <YgzglDWZ6Pk9vpOj@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3037.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 11:31:38 -0000

	* macro.c (buffer_and_nest): Don't read past end of string buffer.

diff --git a/gas/macro.c b/gas/macro.c
index 9327a6dea76..cbb9574fd66 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -184,14 +184,24 @@ buffer_and_nest (const char *from, const char *to, sb *ptr,
 	{
 	  if (! flag_m68k_mri && ptr->ptr[i] == '.')
 	    i++;
-	  if (from == NULL
-	     && strncasecmp (ptr->ptr + i, "IRPC", from_len = 4) != 0
-	     && strncasecmp (ptr->ptr + i, "IRP", from_len = 3) != 0
-	     && strncasecmp (ptr->ptr + i, "IREPC", from_len = 5) != 0
-	     && strncasecmp (ptr->ptr + i, "IREP", from_len = 4) != 0
-	     && strncasecmp (ptr->ptr + i, "REPT", from_len = 4) != 0
-	     && strncasecmp (ptr->ptr + i, "REP", from_len = 3) != 0)
-	    from_len = 0;
+	  if (from == NULL)
+	    {
+	      size_t len = ptr->len - i;
+	      if (len >= 5 && strncasecmp (ptr->ptr + i, "IREPC", 5) == 0)
+		from_len = 5;
+	      else if (len >= 4 && strncasecmp (ptr->ptr + i, "IREP", 4) == 0)
+		from_len = 4;
+	      else if (len >= 4 && strncasecmp (ptr->ptr + i, "IRPC", 4) == 0)
+		from_len = 4;
+	      else if (len >= 4 && strncasecmp (ptr->ptr + i, "REPT", 4) == 0)
+		from_len = 4;
+	      else if (len >= 3 && strncasecmp (ptr->ptr + i, "IRP", 3) == 0)
+		from_len = 3;
+	      else if (len >= 3 && strncasecmp (ptr->ptr + i, "REP", 3) == 0)
+		from_len = 3;
+	      else
+		from_len = 0;
+	    }
 	  if ((from != NULL
 	       ? strncasecmp (ptr->ptr + i, from, from_len) == 0
 	       : from_len > 0)
@@ -199,7 +209,8 @@ buffer_and_nest (const char *from, const char *to, sb *ptr,
 		  || ! (is_part_of_name (ptr->ptr[i + from_len])
 			|| is_name_ender (ptr->ptr[i + from_len]))))
 	    depth++;
-	  if (strncasecmp (ptr->ptr + i, to, to_len) == 0
+	  if (ptr->len - i >= to_len
+	      && strncasecmp (ptr->ptr + i, to, to_len) == 0
 	      && (ptr->len == (i + to_len)
 		  || ! (is_part_of_name (ptr->ptr[i + to_len])
 			|| is_name_ender (ptr->ptr[i + to_len]))))

-- 
Alan Modra
Australia Development Lab, IBM