From: Alan Modra Date: Mon, 28 Mar 2022 07:21:30 +0000 (+1030) Subject: asan: heap buffer overflow in pa_chk_field_selector X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=1fc6fa2f1be66d99007bc2dba90f2c57f941bf58;p=binutils-gdb.git asan: heap buffer overflow in pa_chk_field_selector The buffer overflow showed up running the gas "all macro" test. PR 29005 * config/tc-hppa.c (pa_chk_field_selector): Don't read past end of line. --- diff --git a/gas/config/tc-hppa.c b/gas/config/tc-hppa.c index 742d262a5b5..5a4db51b89a 100644 --- a/gas/config/tc-hppa.c +++ b/gas/config/tc-hppa.c @@ -2432,24 +2432,37 @@ pa_chk_field_selector (char **str) int middle, low, high; int cmp; char name[4]; + char *s = *str; /* Read past any whitespace. */ - /* FIXME: should we read past newlines and formfeeds??? */ - while (**str == ' ' || **str == '\t' || **str == '\n' || **str == '\f') - *str = *str + 1; - - if ((*str)[1] == '\'' || (*str)[1] == '%') - name[0] = TOLOWER ((*str)[0]), - name[1] = 0; - else if ((*str)[2] == '\'' || (*str)[2] == '%') - name[0] = TOLOWER ((*str)[0]), - name[1] = TOLOWER ((*str)[1]), - name[2] = 0; - else if ((*str)[3] == '\'' || (*str)[3] == '%') - name[0] = TOLOWER ((*str)[0]), - name[1] = TOLOWER ((*str)[1]), - name[2] = TOLOWER ((*str)[2]), - name[3] = 0; + while (*s == ' ' || *s == '\t') + s++; + *str = s; + + if (is_end_of_line [(unsigned char) s[0]]) + return e_fsel; + else if (s[1] == '\'' || s[1] == '%') + { + name[0] = TOLOWER (s[0]); + name[1] = 0; + } + else if (is_end_of_line [(unsigned char) s[1]]) + return e_fsel; + else if (s[2] == '\'' || s[2] == '%') + { + name[0] = TOLOWER (s[0]); + name[1] = TOLOWER (s[1]); + name[2] = 0; + } + else if (is_end_of_line [(unsigned char) s[2]]) + return e_fsel; + else if (s[3] == '\'' || s[3] == '%') + { + name[0] = TOLOWER (s[0]); + name[1] = TOLOWER (s[1]); + name[2] = TOLOWER (s[2]); + name[3] = 0; + } else return e_fsel;