This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb/binutils-2_29-branch] Proper bound check in _bfd_doprnt_scan
- From: Alan Modra <amodra at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 5 Nov 2017 13:16:01 -0000
- Subject: [binutils-gdb/binutils-2_29-branch] Proper bound check in _bfd_doprnt_scan
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d6b67f5774b1f320ee1e6f26e47c49ace651d0a7
commit d6b67f5774b1f320ee1e6f26e47c49ace651d0a7
Author: Alan Modra <amodra@gmail.com>
Date: Sun Nov 5 19:52:13 2017 +1030
Proper bound check in _bfd_doprnt_scan
While an abort after storing out of bounds by one to an array in our
caller is probably OK in practice, it's better to check before storing.
PR 22397
* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
after.
(cherry picked from commit 26a9301057457ae576b51b8127bb805b4e484a6b)
Diff:
---
bfd/ChangeLog | 6 ++++++
bfd/bfd.c | 12 ++++++------
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 3ddb1dc..4ad3675 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,6 +1,12 @@
2017-11-05 Alan Modra <amodra@gmail.com>
PR 22397
+ * bfd.c (_bfd_doprnt_scan): Check args index before storing, not
+ after.
+
+2017-11-05 Alan Modra <amodra@gmail.com>
+
+ PR 22397
* bfd.c (union _bfd_doprnt_args): New.
(PRINT_TYPE): Add FIELD arg. Take value from args.
(_bfd_doprnt): Replace ap parameter with args. Adjust all
diff --git a/bfd/bfd.c b/bfd/bfd.c
index 0bec897..3e88229 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -959,10 +959,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
arg_index = *ptr - '1';
ptr += 2;
}
+ if (arg_index >= 9)
+ abort ();
args[arg_index].type = Int;
arg_count++;
- if (arg_count > 9)
- abort ();
}
else
/* Handle explicit numeric value. */
@@ -984,10 +984,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
arg_index = *ptr - '1';
ptr += 2;
}
+ if (arg_index >= 9)
+ abort ();
args[arg_index].type = Int;
arg_count++;
- if (arg_count > 9)
- abort ();
}
else
/* Handle explicit numeric value. */
@@ -1017,6 +1017,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
if ((int) arg_no < 0)
arg_no = arg_count;
+ if (arg_no >= 9)
+ abort ();
switch (ptr[-1])
{
case 'd':
@@ -1085,8 +1087,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
abort();
}
arg_count++;
- if (arg_count > 9)
- abort ();
}
}