sb_scrub_and_add_sb not draining input string buffer

It is possible for sb_scrub_and_add_sb to not consume all of the input
string buffer.  If this happens for reasons explained in the comment,
do_scrub_chars can leave pointers to the string buffer for the next
call.  This patch fixes that by ensuring the input is drained.  Note
that the behaviour for an empty string buffer is also changed,
avoiding another do_scrub_chars bug where empty input and single char
sized output buffers could result in a write past the end of the
output.

	sb.c (sb_scrub_and_add_sb): Loop until all of input sb is
	consumed.

diff --git a/gas/sb.c b/gas/sb.c
index 6a4c4d0c790e064208e6e94c0f1d059258ca3fc7..c44016a0338fe0447a46a4fd77e94eda377f134f 100644 (file)
--- a/gas/sb.c
+++ b/gas/sb.c
@@ -111,8 +111,20 @@ sb_scrub_and_add_sb (sb *ptr, sb *s)
   sb_to_scrub = s;
   scrub_position = s->ptr;
 
-  sb_check (ptr, s->len);
-  ptr->len += do_scrub_chars (scrub_from_sb, ptr->ptr + ptr->len, s->len);
+  /* do_scrub_chars can expand text, for example when replacing
+     # 123 "filename"
+     with
+     \t.linefile 123 "filename"
+     or when replacing a 'c with the decimal ascii number for c.
+     So we loop until the input S is consumed.  */
+  while (1)
+    {
+      size_t copy = s->len - (scrub_position - s->ptr);
+      if (copy == 0)
+       break;
+      sb_check (ptr, copy);
+      ptr->len += do_scrub_chars (scrub_from_sb, ptr->ptr + ptr->len, copy);
+    }
 
   sb_to_scrub = 0;
   scrub_position = 0;