From 8a267ea84798eb4e6547c8ff2617d2377d83c118 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 29 Aug 2020 10:46:59 +0930
Subject: [PATCH] PR26481 UBSAN: tc-pj.c:281 index out of bounds

	PR 26481
	* config/tc-pj.c (md_assemble): Don't loop past end of
	opcode->arg array.
---
 gas/ChangeLog      | 6 ++++++
 gas/config/tc-pj.c | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/gas/ChangeLog b/gas/ChangeLog
index 9bdbb4b172f..210a22c70bb 100644
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,9 @@
+2020-08-29  Alan Modra  <amodra@gmail.com>
+
+	PR 26481
+	* config/tc-pj.c (md_assemble): Don't loop past end of
+	opcode->arg array.
+
 2020-08-28  Alan Modra  <amodra@gmail.com>
 
 	PR 26460
diff --git a/gas/config/tc-pj.c b/gas/config/tc-pj.c
index bc4b8cb117c..1ec84542d07 100644
--- a/gas/config/tc-pj.c
+++ b/gas/config/tc-pj.c
@@ -270,7 +270,7 @@ md_assemble (char *str)
     }
   else
     {
-      int an;
+      unsigned int an;
 
       output = frag_more (opcode->len);
       output[idx++] = opcode->opcode;
@@ -278,7 +278,7 @@ md_assemble (char *str)
       if (opcode->opcode_next != -1)
 	output[idx++] = opcode->opcode_next;
 
-      for (an = 0; opcode->arg[an]; an++)
+      for (an = 0; an < ARRAY_SIZE (opcode->arg) && opcode->arg[an]; an++)
 	{
 	  expressionS arg;
 
-- 
2.30.2