Fix invalid memory access in gcc.c (driver/72765)

	PR driver/72765
	* gcc.c (do_spec_1): Call save_string with the right size.
	(save_string): Do an assert about string we copy.

From-SVN: r239475

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 2b5355d0f9f6a91a2fd92dedc552a22212705eca..dc7e8cbc451a7af37cb99c7dff51473ccffd4ccf 100644 (file)
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,9 @@
+2016-08-15  Martin Liska  <mliska@suse.cz>
+
+       PR driver/72765
+       * gcc.c (do_spec_1): Call save_string with the right size.
+       (save_string): Do an assert about string we copy.
+
 2016-08-15  Richard Biener  <rguenther@suse.de>
 
        * ree.c (rest_of_handle_ree): Remove redundant timevar push/pop.

diff --git a/gcc/gcc.c b/gcc/gcc.c
index 7460f6af148969734c6cffeef870388355ef76cf..d3e8c88ac682c63e46dcf9bde2fae519ddd3f851 100644 (file)
--- a/gcc/gcc.c
+++ b/gcc/gcc.c
@@ -5420,8 +5420,9 @@ do_spec_1 (const char *spec, int inswitch, const char *soft_matched_part)
                        if (files_differ)
 #endif
                          {
-                           temp_filename = save_string (temp_filename,
-                                                        temp_filename_length + 1);
+                           temp_filename
+                             = save_string (temp_filename,
+                                            temp_filename_length - 1);
                            obstack_grow (&obstack, temp_filename,
                                                    temp_filename_length);
                            arg_going = 1;
@@ -8362,6 +8363,7 @@ save_string (const char *s, int len)
 {
   char *result = XNEWVEC (char, len + 1);
 
+  gcc_checking_assert (strlen (s) >= (unsigned int) len);
   memcpy (result, s, len);
   result[len] = 0;
   return result;