x86-64: properly bounds-check %bnd<N> in OP_G()

The restriction to %bnd0-%bnd3 requires to also check REX.R is clear,
just like OP_E_Register() also includes REX.B in its check.

3 files changed, 17 insertions, 1 deletions

diff --git a/gas/testsuite/gas/i386/x86-64-mpx.d b/gas/testsuite/gas/i386/x86-64-mpx.d
index f3217e0..2f45af0 100644
--- a/gas/testsuite/gas/i386/x86-64-mpx.d
+++ b/gas/testsuite/gas/i386/x86-64-mpx.d
@@ -191,5 +191,7 @@ Disassembly of section .text:
 [a-f0-9]+ <bad>:
 [ 	]*[a-f0-9]+:	0f 1a 30             	bndldx \(%rax\),\(bad\)
 [ 	]*[a-f0-9]+:	66 0f 1a c4          	bndmov \(bad\),%bnd0
+[ 	]*[a-f0-9]+:	66 41 0f 1a c0       	bndmov \(bad\),%bnd0
+[ 	]*[a-f0-9]+:	66 44 0f 1a c0       	bndmov %bnd0,\(bad\)
 [ 	]*[a-f0-9]+:	f3 0f 1b 05 90 90 90 90 	bndmk  \(bad\),%bnd0
 #pass
diff --git a/gas/testsuite/gas/i386/x86-64-mpx.s b/gas/testsuite/gas/i386/x86-64-mpx.s
index b113590..3594d8e 100644
--- a/gas/testsuite/gas/i386/x86-64-mpx.s
+++ b/gas/testsuite/gas/i386/x86-64-mpx.s
@@ -227,6 +227,20 @@ bad:
 	.byte 0x1a
 	.byte 0xc4
 
+	# bndmov with REX.B set
+	.byte 0x66
+	.byte 0x41
+	.byte 0x0f
+	.byte 0x1a
+	.byte 0xc0
+
+	# bndmov with REX.R set
+	.byte 0x66
+	.byte 0x44
+	.byte 0x0f
+	.byte 0x1a
+	.byte 0xc0
+
 	# bndmk (bad),%bnd0
 	.byte 0xf3
 	.byte 0x0f
diff --git a/opcodes/i386-dis.c b/opcodes/i386-dis.c
index e95d2ef..203dcef 100644
--- a/opcodes/i386-dis.c
+++ b/opcodes/i386-dis.c
@@ -11966,7 +11966,7 @@ OP_G (int bytemode, int sizeflag)
       oappend (names64[modrm.reg + add]);
       break;
     case bnd_mode:
-      if (modrm.reg > 0x3)
+      if (modrm.reg + add > 0x3)
 	{
 	  oappend ("(bad)");
 	  return;