This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] cgen: opcodes: Fix memory corruption in in lookup

From: Yao Qi <qiyaoltc at gmail dot com>
To: Stafford Horne <shorne at gmail dot com>, Binutils <binutils at sourceware dot org>
Cc: "gdb-patches at sourceware dot org" <gdb-patches at sourceware dot org>
Date: Wed, 8 Feb 2017 17:01:05 +0000
Subject: Re: [PATCH] cgen: opcodes: Fix memory corruption in in lookup
Authentication-results: sourceware.org; auth=none
References: <20170208164027.17843-1-shorne@gmail.com>

Hi Stafford,
opcodes/ changes should be reviewed in binutils@sourceware.org.

On Wed, Feb 8, 2017 at 4:40 PM, Stafford Horne <shorne@gmail.com> wrote:
> The buf variable is used after it is free'd.  This causes the lookups to
> fail and also causes memory corruption.
>
> Re-arrange the code a bit to make sure we always free memory before
> returning. This was caught in openrisc testing, one of the only user of
> this method.
>
> opcodes/ChangeLog:
>
> 2017-02-09  Stafford Horne  <shorne@gmail.com>
>         cgen-opc.c (cgen_lookup_insn): Fix memory corruption issue.

ChangeLog format issue,

017-02-09  Stafford Horne  <shorne@gmail.com>

* cgen-opc.c (cgen_lookup_insn): Fix memory corruption issue.

> ---
>  opcodes/cgen-opc.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/opcodes/cgen-opc.c b/opcodes/cgen-opc.c
> index 72b4f05..40a6320 100644
> --- a/opcodes/cgen-opc.c
> +++ b/opcodes/cgen-opc.c
> @@ -463,7 +463,6 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
>        buf = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8);
>        cgen_put_insn_value (cd, buf, length, insn_int_value);
>        base_insn = insn_int_value;
> -      free (buf);
>      }
>    else
>      {
> @@ -475,7 +474,7 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
>        base_insn = cgen_get_insn_value (cd, buf, length);
>      }
>
> -  if (!insn)
> +  if (insn == NULL)
>      {
>        const CGEN_INSN_LIST *insn_list;
>
> @@ -505,7 +504,8 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
>                       /* sanity check */
>                       if (length != 0 && length != elength)
>                         abort ();
> -                     return insn;
> +                     /* found, done */
> +                     break;
>                     }
>                 }
>             }
> @@ -530,10 +530,12 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
>          Could relax this later if it ever proves useful.  */
>        if (length == 0)
>         abort ();
> -      return insn;
>      }
>
> -  return NULL;
> +  if (cd->int_insn_p)
> +    free (buf);
> +
> +  return insn;
>  }
>
>  /* Fill in the operand instances used by INSN whose operands are FIELDS.
> --
> 2.9.3
>

-- 
Yao (齐尧)

Follow-Ups:
- Re: [PATCH] cgen: opcodes: Fix memory corruption in in lookup
  - From: Stafford Horne

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]