From cd826186c8b271fa7a1f5ff93b55acd672baf646 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Thu, 2 Jun 2022 11:29:34 +0930 Subject: [PATCH] sb_scrub_and_add_sb not draining input string buffer It is possible for sb_scrub_and_add_sb to not consume all of the input string buffer. If this happens for reasons explained in the comment, do_scrub_chars can leave pointers to the string buffer for the next call. This patch fixes that by ensuring the input is drained. Note that the behaviour for an empty string buffer is also changed, avoiding another do_scrub_chars bug where empty input and single char sized output buffers could result in a write past the end of the output. sb.c (sb_scrub_and_add_sb): Loop until all of input sb is consumed. --- gas/sb.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/gas/sb.c b/gas/sb.c index 6a4c4d0c790..c44016a0338 100644 --- a/gas/sb.c +++ b/gas/sb.c @@ -111,8 +111,20 @@ sb_scrub_and_add_sb (sb *ptr, sb *s) sb_to_scrub = s; scrub_position = s->ptr; - sb_check (ptr, s->len); - ptr->len += do_scrub_chars (scrub_from_sb, ptr->ptr + ptr->len, s->len); + /* do_scrub_chars can expand text, for example when replacing + # 123 "filename" + with + \t.linefile 123 "filename" + or when replacing a 'c with the decimal ascii number for c. + So we loop until the input S is consumed. */ + while (1) + { + size_t copy = s->len - (scrub_position - s->ptr); + if (copy == 0) + break; + sb_check (ptr, copy); + ptr->len += do_scrub_chars (scrub_from_sb, ptr->ptr + ptr->len, copy); + } sb_to_scrub = 0; scrub_position = 0; -- 2.30.2