vax decoding of indexed addressing mode

This patch prevents print_insn_mode recursing into another index mode
byte, which if repeated enough times will overflow private.the_buffer
and scribble over other memory.

	* vax-dis.c (print_insn_mode): Stop index mode recursion.

diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog
index 0ace940313a188d9b444d9755416a8cfd2e6a4b0..49b94e3a34ebcb419292f0c600d34053cd9e0e9c 100644 (file)
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@@ -1,3 +1,7 @@
+2019-12-19  Alan Modra  <amodra@gmail.com>
+
+       * vax-dis.c (print_insn_mode): Stop index mode recursion.
+
 2019-12-19  Dr N.W. Filardo  <nwf20@cam.ac.uk>
 
        PR 25277

diff --git a/opcodes/vax-dis.c b/opcodes/vax-dis.c
index 0b331412d39952c590f8c8c8a62e28c62a73714f..f88001584a44daa881f39872dfb0817e8ab9fee8 100644 (file)
--- a/opcodes/vax-dis.c
+++ b/opcodes/vax-dis.c
@@ -240,8 +240,18 @@ print_insn_mode (const char *d,
         (*info->fprintf_func) (info->stream, "$0x%x", mode);
       break;
     case 0x40: /* Index:                       base-addr[Rn] */
-      p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
-      (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+      {
+       unsigned char *q = p0 + 1;
+       unsigned char nextmode = NEXTBYTE (q);
+       if (nextmode < 0x60 || nextmode == 0x8f)
+         /* Literal, index, register, or immediate is invalid.  In
+            particular don't recurse into another index mode which
+            might overflow the_buffer.   */
+         (*info->fprintf_func) (info->stream, "[invalid base]");
+       else
+         p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
+       (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+      }
       break;
     case 0x50: /* Register:                    Rn */
       (*info->fprintf_func) (info->stream, "%s", reg_names[reg]);