From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31051 invoked by alias); 8 Feb 2017 16:40:41 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 31036 invoked by uid 89); 8 Feb 2017 16:40:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL,BAYES_20,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=!insn, Fill, 20170209, 2017-02-09 X-HELO: mail-pg0-f67.google.com Received: from mail-pg0-f67.google.com (HELO mail-pg0-f67.google.com) (74.125.83.67) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 08 Feb 2017 16:40:39 +0000 Received: by mail-pg0-f67.google.com with SMTP id 75so15612662pgf.3 for ; Wed, 08 Feb 2017 08:40:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=lkUB0SKmpmysQpYQ2XlhJGVqAErj44VUz7KcvzJni/4=; b=hcMcM4Lrc1tD5xu3L2xi9fU/e+B/K+J/v6YrfijysHkp7T9FTK0BhhOIfwV1/RaKXP hETGp5mQpjcp6ROpdIiLK49ZIJKcVGV87oVsiywIDSRkscQ72R2TBQWxlDDHFJe4picg znFzuQ7TANC3GIcJeFukg9QjM1uqA9POAXwH7Cjw9T8tP6sduIEVQD844Gi/MhZVbWDC dc2rNmbT+CSVm393zJtQ19JOULVXOhggT0/9tICl/x0TvSAhoXDnc1UV6Kf3uev+mPEM lx7So3kX6MLgRvdTyVh7ir1M4Hb3h2Ht/hPna2A6qZTSBl+415ldJyhPydbI4WuX1WfM X2Ew== X-Gm-Message-State: AIkVDXL7gROdYJtoOp+DC9M6TdtVNF4E1amLVh+I/qOFzjj6OA1u1JfrkCmjCyxytBhvKg== X-Received: by 10.84.228.194 with SMTP id y2mr35299765pli.156.1486572038279; Wed, 08 Feb 2017 08:40:38 -0800 (PST) Received: from localhost (z192.124-44-186.ppp.wakwak.ne.jp. [124.44.186.192]) by smtp.gmail.com with ESMTPSA id 66sm21685426pgg.47.2017.02.08.08.40.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 08 Feb 2017 08:40:37 -0800 (PST) From: Stafford Horne To: gdb-patches@sourceware.org Cc: Stafford Horne Subject: [PATCH] cgen: opcodes: Fix memory corruption in in lookup Date: Wed, 08 Feb 2017 16:40:00 -0000 Message-Id: <20170208164027.17843-1-shorne@gmail.com> X-IsSubscribed: yes X-SW-Source: 2017-02/txt/msg00193.txt.bz2 The buf variable is used after it is free'd. This causes the lookups to fail and also causes memory corruption. Re-arrange the code a bit to make sure we always free memory before returning. This was caught in openrisc testing, one of the only user of this method. opcodes/ChangeLog: 2017-02-09 Stafford Horne cgen-opc.c (cgen_lookup_insn): Fix memory corruption issue. --- opcodes/cgen-opc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/opcodes/cgen-opc.c b/opcodes/cgen-opc.c index 72b4f05..40a6320 100644 --- a/opcodes/cgen-opc.c +++ b/opcodes/cgen-opc.c @@ -463,7 +463,6 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, buf = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8); cgen_put_insn_value (cd, buf, length, insn_int_value); base_insn = insn_int_value; - free (buf); } else { @@ -475,7 +474,7 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, base_insn = cgen_get_insn_value (cd, buf, length); } - if (!insn) + if (insn == NULL) { const CGEN_INSN_LIST *insn_list; @@ -505,7 +504,8 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* sanity check */ if (length != 0 && length != elength) abort (); - return insn; + /* found, done */ + break; } } } @@ -530,10 +530,12 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, Could relax this later if it ever proves useful. */ if (length == 0) abort (); - return insn; } - return NULL; + if (cd->int_insn_p) + free (buf); + + return insn; } /* Fill in the operand instances used by INSN whose operands are FIELDS. -- 2.9.3