From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cgen-return-2749-listarch-cgen=sources.redhat.com@sourceware.org>
Received: (qmail 45875 invoked by alias); 7 Feb 2020 14:01:30 -0000
Mailing-List: contact cgen-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <cgen.sourceware.org>
List-Subscribe: <mailto:cgen-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/cgen/>
List-Post: <mailto:cgen@sourceware.org>
List-Help: <mailto:cgen-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: cgen-owner@sourceware.org
Received: (qmail 45863 invoked by uid 89); 7 Feb 2020 14:01:29 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-10.8 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=usi, HX-Languages-Length:931
X-HELO: mail-pj1-f45.google.com
Received: from mail-pj1-f45.google.com (HELO mail-pj1-f45.google.com) (209.85.216.45) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 07 Feb 2020 14:01:28 +0000
Received: by mail-pj1-f45.google.com with SMTP id 12so964585pjb.5        for <cgen@sourceware.org>; Fri, 07 Feb 2020 06:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=date:from:to:subject:message-id:mime-version:content-disposition         :user-agent;        bh=McBneN/VszlVCQxOnuz87eS/VYQ+Xq9eTGcVQrnSwtI=;        b=YqKnxUnlN0jw1lNCi6x9lPbhyLazdp5SKmPhe9LbaxaimAWomJOgkbzBSiI4LuvPJZ         K7GdouGL13wj8dF+xPbzr3ipxZrbIo0olBEFssVio02Q+gEGeQNYpJdOrwUrUh1oOgg5         ZmxmwEO7Tg2CZ0IQBLjRyGTzRJEFbcmJ/dDMU+X+JqhGGVLheblDgj3FDs7YJQpSobiy         xRxWPJ6FgX1iXTWjmI2z7b+cVb7I6pXvyXk5KZvCzu1hsy/Ckt9tS5bp27PFKxSa/MF4         0sEqt7Z8OwHLFOG9K4oGW7UyxBsgZYHKmIgi3Qy8tMzbjk/P8n4N1sQZXzj4ycGUgq64         KkdQ==
Return-Path: <amodra@gmail.com>
Received: from bubble.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])        by smtp.gmail.com with ESMTPSA id y10sm3403501pfq.110.2020.02.07.06.01.24        for <cgen@sourceware.org>        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);        Fri, 07 Feb 2020 06:01:25 -0800 (PST)
Received: by bubble.grove.modra.org (Postfix, from userid 1000)	id 9DAAB807E5; Sat,  8 Feb 2020 00:31:21 +1030 (ACDT)
Date: Fri, 07 Feb 2020 14:01:00 -0000
From: Alan Modra <amodra@gmail.com>
To: cgen@sourceware.org
Subject: Uninitialized variable read in cgen disassembler
Message-ID: <20200207140121.GJ5669@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-SW-Source: 2020-q1/txt/msg00005.txt

I noticed this today in opcodes/m32c-ibld.c line 2498

    case M32C_OPERAND_IMM_40_SI :
      {
        {
        long value;
        length = extract_normal (cd, ex_info, insn_value, 0, 32, 8, 24, 32, total_length, pc, & value);
        value = ((((((((USI) (value) >> (16))) & (255))) | (((value) & (65280))))) | (((((value) << (16))) & (16711680))));
        fields->f_dsp_40_u24 = value;
      }
        if (length <= 0) break;
        length = extract_normal (cd, ex_info, insn_value, 0, 64, 0, 8, 32, total_length, pc, & fields->f_dsp_64_u8);
        if (length <= 0) break;
{
  FLD (f_dsp_40_s32) = ((((FLD (f_dsp_40_u24)) & (16777215))) | (((((FLD (f_dsp_64_u8)) << (24))) & (0xff000000))));
}
      }
      break;

Oops, the first "length <= 0" check on the return value of
extract_normal is *after* we've already used "value".

There's a return path in extract_normal that doesn't set *valuep,
when fill_cache fails.

-- 
Alan Modra
Australia Development Lab, IBM