nfp: add validity check of island and me

AddressSanitizer detects heap-buffer-overflow when running
"objdump -D" for nfp .nffw files.

	PR 27854
	* nfp-dis.c (_NFP_ISLAND_MAX, _NFP_ME_MAX): Define.
	(nfp_priv_data): ..and use here.
	(_print_instrs): Sanity check island and menum.

Signed-off-by: Yinjun Zhang <yinjun.zhang@corigine.com>
Signed-off-by: Simon Horman <simon.horman@corigine.com>

diff --git a/opcodes/nfp-dis.c b/opcodes/nfp-dis.c
index b74ccb3fce59f60a374ee692bca50df85c22371f..170f6a2d63ed6b644952f35e0ec970c14c75b222 100644 (file)
--- a/opcodes/nfp-dis.c
+++ b/opcodes/nfp-dis.c
@@ -46,6 +46,9 @@
 #define _NFP_ME27_28_CSR_CTX_ENABLES     0x18
 #define _NFP_ME27_28_CSR_MISC_CONTROL    0x160
 
+#define _NFP_ISLAND_MAX 64
+#define _NFP_ME_MAX     12
+
 typedef struct
 {
   unsigned char ctx4_mode:1;
@@ -65,7 +68,7 @@ nfp_opts;
 /* mecfgs[island][menum][is-text] */
 typedef struct
 {
-  nfp_priv_mecfg mecfgs[64][12][2];
+  nfp_priv_mecfg mecfgs[_NFP_ISLAND_MAX][_NFP_ME_MAX][2];
 }
 nfp_priv_data;
 
@@ -2837,6 +2840,12 @@ _print_instrs (bfd_vma addr, struct disassemble_info *dinfo, nfp_opts * opts)
          break;
        }
 
+      if (island >= _NFP_ISLAND_MAX || menum >= _NFP_ME_MAX)
+       {
+         dinfo->fprintf_func (dinfo->stream, "Invalid island or me.");
+         return _NFP_ERR_STOP;
+       }
+
       mecfg = &priv->mecfgs[island][menum][is_text];
       num_ctx = (mecfg->ctx4_mode) ? 4 : 8;
       addr_3rdparty32 = mecfg->addr_3rdparty32;