Proper bound check in _bfd_doprnt_scan

While an abort after storing out of bounds by one to an array in our
caller is probably OK in practice, it's better to check before storing.

	PR 22397
	* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
	after.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 80d14ae1693d9aac8b7e75351ebc24bd9d24a88a..2362ca0a4fc8788c0fd40f5096ae5b8c8a9442b3 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-05  Alan Modra  <amodra@gmail.com>
+
+       PR 22397
+       * bfd.c (_bfd_doprnt_scan): Check args index before storing, not
+       after.
+
 2017-11-05  Alan Modra  <amodra@gmail.com>
 
        PR 22397

diff --git a/bfd/bfd.c b/bfd/bfd.c
index 006fb2bf3481dffcfcd01cd345f72ee761e78d95..35f748c3f9c69d2443af695d7bff4aea9d702d51 100644 (file)
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -974,10 +974,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
                  arg_index = *ptr - '1';
                  ptr += 2;
                }
+             if (arg_index >= 9)
+               abort ();
              args[arg_index].type = Int;
              arg_count++;
-             if (arg_count > 9)
-               abort ();
            }
          else
            /* Handle explicit numeric value.  */
@@ -999,10 +999,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
                      arg_index = *ptr - '1';
                      ptr += 2;
                    }
+                 if (arg_index >= 9)
+                   abort ();
                  args[arg_index].type = Int;
                  arg_count++;
-                 if (arg_count > 9)
-                   abort ();
                }
              else
                /* Handle explicit numeric value.  */
@@ -1032,6 +1032,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
          if ((int) arg_no < 0)
            arg_no = arg_count;
 
+         if (arg_no >= 9)
+           abort ();
          switch (ptr[-1])
            {
            case 'd':
@@ -1100,8 +1102,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
              abort();
            }
          arg_count++;
-         if (arg_count > 9)
-           abort ();
        }
     }