From: Alan Modra Date: Sat, 11 Feb 2017 06:47:59 +0000 (+1030) Subject: Fix use after free in cgen instruction lookup X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=54064fdb792313355c92d9880680fad825d71ebd;p=binutils-gdb.git Fix use after free in cgen instruction lookup * cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps. Use insn_bytes_value and insn_int_value directly instead. Don't free allocated memory until function exit. --- diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog index 8366d1b94c7..fc6637b5640 100644 --- a/opcodes/ChangeLog +++ b/opcodes/ChangeLog @@ -1,3 +1,10 @@ +2017-02-11 Stafford Horne + Alan Modra + + * cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps. + Use insn_bytes_value and insn_int_value directly instead. Don't + free allocated memory until function exit. + 2017-02-10 Nicholas Piggin * ppc-opc.c (powerpc_opcodes) : New mnemonics. diff --git a/opcodes/cgen-opc.c b/opcodes/cgen-opc.c index 72b4f05a188..4299db3c90e 100644 --- a/opcodes/cgen-opc.c +++ b/opcodes/cgen-opc.c @@ -452,18 +452,14 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, CGEN_FIELDS *fields, int alias_p) { - unsigned char *buf; - CGEN_INSN_INT base_insn; CGEN_EXTRACT_INFO ex_info; CGEN_EXTRACT_INFO *info; if (cd->int_insn_p) { info = NULL; - buf = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8); - cgen_put_insn_value (cd, buf, length, insn_int_value); - base_insn = insn_int_value; - free (buf); + insn_bytes_value = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8); + cgen_put_insn_value (cd, insn_bytes_value, length, insn_int_value); } else { @@ -471,8 +467,7 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, ex_info.dis_info = NULL; ex_info.insn_bytes = insn_bytes_value; ex_info.valid = -1; - buf = insn_bytes_value; - base_insn = cgen_get_insn_value (cd, buf, length); + insn_int_value = cgen_get_insn_value (cd, insn_bytes_value, length); } if (!insn) @@ -482,7 +477,8 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* The instructions are stored in hash lists. Pick the first one and keep trying until we find the right one. */ - insn_list = cgen_dis_lookup_insn (cd, (char *) buf, base_insn); + insn_list = cgen_dis_lookup_insn (cd, (char *) insn_bytes_value, + insn_int_value); while (insn_list != NULL) { insn = insn_list->insn; @@ -494,18 +490,18 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* Basic bit mask must be correct. */ /* ??? May wish to allow target to defer this check until the extract handler. */ - if ((base_insn & CGEN_INSN_BASE_MASK (insn)) + if ((insn_int_value & CGEN_INSN_BASE_MASK (insn)) == CGEN_INSN_BASE_VALUE (insn)) { /* ??? 0 is passed for `pc' */ int elength = CGEN_EXTRACT_FN (cd, insn) - (cd, insn, info, base_insn, fields, (bfd_vma) 0); + (cd, insn, info, insn_int_value, fields, (bfd_vma) 0); if (elength > 0) { /* sanity check */ if (length != 0 && length != elength) abort (); - return insn; + break; } } } @@ -525,15 +521,17 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* ??? 0 is passed for `pc' */ length = CGEN_EXTRACT_FN (cd, insn) - (cd, insn, info, base_insn, fields, (bfd_vma) 0); + (cd, insn, info, insn_int_value, fields, (bfd_vma) 0); /* Sanity check: must succeed. Could relax this later if it ever proves useful. */ if (length == 0) abort (); - return insn; } - return NULL; + if (cd->int_insn_p) + free (insn_bytes_value); + + return insn; } /* Fill in the operand instances used by INSN whose operands are FIELDS.