From 1c529385d9d7f53efa541d9701ec8c1001581e3e Mon Sep 17 00:00:00 2001
From: Li Hao <li.hao296@zte.com.cn>
Date: Fri, 15 Mar 2019 11:58:05 +0000
Subject: [PATCH] Fix a potential illegal memory access whilt parsing an x86
 insn.

	PR 24308
	* config/tc-i386.c (parse_insn): Check mnemp before using it to
	determine if a suffix can be trimmed.
---
 gas/ChangeLog        |  6 ++++
 gas/config/tc-i386.c | 68 +++++++++++++++++++++++---------------------
 2 files changed, 42 insertions(+), 32 deletions(-)

diff --git a/gas/ChangeLog b/gas/ChangeLog
index d08c09647c6..bf0c1710011 100644
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,9 @@
+2019-03-15  Li Hao  <li.hao296@zte.com.cn>
+
+	PR 24308
+	* config/tc-i386.c (parse_insn): Check mnemp before using it to
+	determine if a suffix can be trimmed.
+
 2019-03-13  Christian Eggers  <ceggers@gmx.de>
 
 	* dwarf2dbg.c (out_set_addr): Align relocation within .debug_line.
diff --git a/gas/config/tc-i386.c b/gas/config/tc-i386.c
index d31ee6abdd0..1b1b0a95da8 100644
--- a/gas/config/tc-i386.c
+++ b/gas/config/tc-i386.c
@@ -4561,46 +4561,50 @@ parse_insn (char *line, char *mnemonic)
   if (!current_templates)
     {
 check_suffix:
-      /* See if we can get a match by trimming off a suffix.  */
-      switch (mnem_p[-1])
+      if (mnem_p > mnemonic)
 	{
-	case WORD_MNEM_SUFFIX:
-	  if (intel_syntax && (intel_float_operand (mnemonic) & 2))
-	    i.suffix = SHORT_MNEM_SUFFIX;
-	  else
-	    /* Fall through.  */
-	case BYTE_MNEM_SUFFIX:
-	case QWORD_MNEM_SUFFIX:
-	  i.suffix = mnem_p[-1];
-	  mnem_p[-1] = '\0';
-	  current_templates = (const templates *) hash_find (op_hash,
-                                                             mnemonic);
-	  break;
-	case SHORT_MNEM_SUFFIX:
-	case LONG_MNEM_SUFFIX:
-	  if (!intel_syntax)
-	    {
-	      i.suffix = mnem_p[-1];
-	      mnem_p[-1] = '\0';
-	      current_templates = (const templates *) hash_find (op_hash,
-                                                                 mnemonic);
-	    }
-	  break;
-
-	  /* Intel Syntax.  */
-	case 'd':
-	  if (intel_syntax)
+	  /* See if we can get a match by trimming off a suffix.  */
+	  switch (mnem_p[-1])
 	    {
-	      if (intel_float_operand (mnemonic) == 1)
+	    case WORD_MNEM_SUFFIX:
+	      if (intel_syntax && (intel_float_operand (mnemonic) & 2))
 		i.suffix = SHORT_MNEM_SUFFIX;
 	      else
-		i.suffix = LONG_MNEM_SUFFIX;
+		/* Fall through.  */
+	      case BYTE_MNEM_SUFFIX:
+	      case QWORD_MNEM_SUFFIX:
+		i.suffix = mnem_p[-1];
 	      mnem_p[-1] = '\0';
 	      current_templates = (const templates *) hash_find (op_hash,
-                                                                 mnemonic);
+								 mnemonic);
+	      break;
+	    case SHORT_MNEM_SUFFIX:
+	    case LONG_MNEM_SUFFIX:
+	      if (!intel_syntax)
+		{
+		  i.suffix = mnem_p[-1];
+		  mnem_p[-1] = '\0';
+		  current_templates = (const templates *) hash_find (op_hash,
+								     mnemonic);
+		}
+	      break;
+
+	      /* Intel Syntax.  */
+	    case 'd':
+	      if (intel_syntax)
+		{
+		  if (intel_float_operand (mnemonic) == 1)
+		    i.suffix = SHORT_MNEM_SUFFIX;
+		  else
+		    i.suffix = LONG_MNEM_SUFFIX;
+		  mnem_p[-1] = '\0';
+		  current_templates = (const templates *) hash_find (op_hash,
+								     mnemonic);
+		}
+	      break;
 	    }
-	  break;
 	}
+
       if (!current_templates)
 	{
 	  as_bad (_("no such instruction: `%s'"), token_start);
-- 
2.30.2