This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[binutils-gdb/binutils-2_29-branch] Proper bound check in _bfd_doprnt_scan


https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d6b67f5774b1f320ee1e6f26e47c49ace651d0a7

commit d6b67f5774b1f320ee1e6f26e47c49ace651d0a7
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Nov 5 19:52:13 2017 +1030

    Proper bound check in _bfd_doprnt_scan
    
    While an abort after storing out of bounds by one to an array in our
    caller is probably OK in practice, it's better to check before storing.
    
    	PR 22397
    	* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
    	after.
    
    (cherry picked from commit 26a9301057457ae576b51b8127bb805b4e484a6b)

Diff:
---
 bfd/ChangeLog |  6 ++++++
 bfd/bfd.c     | 12 ++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 3ddb1dc..4ad3675 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,6 +1,12 @@
 2017-11-05  Alan Modra  <amodra@gmail.com>
 
 	PR 22397
+	* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
+	after.
+
+2017-11-05  Alan Modra  <amodra@gmail.com>
+
+	PR 22397
 	* bfd.c (union _bfd_doprnt_args): New.
 	(PRINT_TYPE): Add FIELD arg.  Take value from args.
 	(_bfd_doprnt): Replace ap parameter with args.  Adjust all
diff --git a/bfd/bfd.c b/bfd/bfd.c
index 0bec897..3e88229 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -959,10 +959,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 		  arg_index = *ptr - '1';
 		  ptr += 2;
 		}
+	      if (arg_index >= 9)
+		abort ();
 	      args[arg_index].type = Int;
 	      arg_count++;
-	      if (arg_count > 9)
-		abort ();
 	    }
 	  else
 	    /* Handle explicit numeric value.  */
@@ -984,10 +984,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 		      arg_index = *ptr - '1';
 		      ptr += 2;
 		    }
+		  if (arg_index >= 9)
+		    abort ();
 		  args[arg_index].type = Int;
 		  arg_count++;
-		  if (arg_count > 9)
-		    abort ();
 		}
 	      else
 		/* Handle explicit numeric value.  */
@@ -1017,6 +1017,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 	  if ((int) arg_no < 0)
 	    arg_no = arg_count;
 
+	  if (arg_no >= 9)
+	    abort ();
 	  switch (ptr[-1])
 	    {
 	    case 'd':
@@ -1085,8 +1087,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 	      abort();
 	    }
 	  arg_count++;
-	  if (arg_count > 9)
-	    abort ();
 	}
     }


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]