This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
PATCH: Fix buffer overflow in gas
- From: "H. J. Lu" <hjl at lucon dot org>
- To: binutils at sources dot redhat dot com
- Date: Mon, 1 May 2006 11:40:06 -0700
- Subject: PATCH: Fix buffer overflow in gas
There are some potential buffer overflows in gas. 8byte isn't enough
to hold a negative byte. This patch fixes them. Also we should use
snprintf instead of sprintf.
H.J.
---
2006-05-01 H.J. Lu <hongjiu.lu@intel.com>
* config/tc-i386.c (output_invalid_buf): Change size to 16.
* config/tc-tic30.c (output_invalid_buf): Likewise.
* config/tc-i386.c (output_invalid): Use snprintf instead of
sprintf.
* config/tc-ia64.c (declare_register_set): Likewise.
(emit_one_bundle): Likewise.
(check_dependencies): Likewise.
* config/tc-tic30.c (output_invalid): Likewise.
--- gas/config/tc-i386.c.buf 2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-i386.c 2006-05-01 11:13:22.000000000 -0700
@@ -5251,16 +5251,18 @@ md_atof (type, litP, sizeP)
return 0;
}
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
static char *
output_invalid (c)
int c;
{
if (ISPRINT (c))
- sprintf (output_invalid_buf, "'%c'", c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "'%c'", c);
else
- sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "(0x%x)", (unsigned) c);
return output_invalid_buf;
}
--- gas/config/tc-ia64.c.buf 2006-04-25 14:35:46.000000000 -0700
+++ gas/config/tc-ia64.c 2006-05-01 11:26:49.000000000 -0700
@@ -5634,7 +5634,7 @@ declare_register_set (prefix, num_regs,
for (i = 0; i < num_regs; ++i)
{
- sprintf (name, "%s%u", prefix, i);
+ snprintf (name, sizeof (name), "%s%u", prefix, i);
declare_register (name, base_regnum + i);
}
}
@@ -6971,7 +6971,8 @@ emit_one_bundle ()
else
as_fatal ("emit_one_bundle: unexpected dynamic op");
- sprintf (mnemonic, "%s.%c", idesc->name, "?imbfxx"[insn_unit]);
+ snprintf (mnemonic, sizeof (mnemonic), "%s.%c",
+ idesc->name, "?imbfxx"[insn_unit]);
opnd1 = idesc->operands[0];
opnd2 = idesc->operands[1];
ia64_free_opcode (idesc);
@@ -10544,12 +10545,15 @@ check_dependencies (idesc)
int certain = (matchtype == 1 && CURR_SLOT.qp_regno == 0);
if (path != 0)
- sprintf (pathmsg, " when entry is at label '%s'",
+ snprintf (pathmsg, sizeof (pathmsg),
+ " when entry is at label '%s'",
md.entry_labels[path - 1]);
if (matchtype == 1 && rs->index >= 0)
- sprintf (indexmsg, ", specific resource number is %d",
+ snprintf (indexmsg, sizeof (indexmsg),
+ ", specific resource number is %d",
rs->index);
- sprintf (msg, "Use of '%s' %s %s dependency '%s' (%s)%s%s",
+ snprintf (msg, sizeof (msg),
+ "Use of '%s' %s %s dependency '%s' (%s)%s%s",
idesc->name,
(certain ? "violates" : "may violate"),
dv_mode[dep->mode], dep->name,
--- gas/config/tc-tic30.c.buf 2005-08-15 07:50:53.000000000 -0700
+++ gas/config/tc-tic30.c 2006-05-01 11:13:53.000000000 -0700
@@ -273,15 +273,17 @@ struct tic30_insn
struct tic30_insn insn;
static int found_parallel_insn;
-static char output_invalid_buf[8];
+static char output_invalid_buf[16];
static char *
output_invalid (char c)
{
if (ISPRINT (c))
- sprintf (output_invalid_buf, "'%c'", c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "'%c'", c);
else
- sprintf (output_invalid_buf, "(0x%x)", (unsigned) c);
+ snprintf (output_invalid_buf, sizeof (output_invalid_buf),
+ "(0x%x)", (unsigned) c);
return output_invalid_buf;
}