From 450ccef08d3a35300c9ebeee71df96b9c56ca0b0 Mon Sep 17 00:00:00 2001 From: Chen Gang Date: Wed, 15 Oct 2014 09:48:47 +1030 Subject: [PATCH] Fix memory overflow issue about strncat If src contains n or more bytes, strncat() writes n+1 bytes to dest (n from src plus the terminating null byte). Therefore, the size of dest must be at least strlen(dest)+n+1. * config/tc-tic4x.c (md_assemble): Correct strncat size. --- gas/ChangeLog | 4 ++++ gas/config/tc-tic4x.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/gas/ChangeLog b/gas/ChangeLog index 40476234b6c..7ac3677f49c 100644 --- a/gas/ChangeLog +++ b/gas/ChangeLog @@ -1,3 +1,7 @@ +2014-10-15 Chen Gang + + * config/tc-tic4x.c (md_assemble): Correct strncat size. + 2014-10-14 Tristan Gingold * NEWS: Add marker for 2.25. diff --git a/gas/config/tc-tic4x.c b/gas/config/tc-tic4x.c index 904a68c849e..dc821680739 100644 --- a/gas/config/tc-tic4x.c +++ b/gas/config/tc-tic4x.c @@ -2456,7 +2456,7 @@ md_assemble (char *str) if (*s) /* Null terminate for hash_find. */ *s++ = '\0'; /* and skip past null. */ strcat (insn->name, "_"); - strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name)); + strncat (insn->name, str, TIC4X_NAME_MAX - 1 - strlen (insn->name)); insn->operands[insn->num_operands++].mode = M_PARALLEL; -- 2.30.2