From 6ef4fa071e2c25b71e81a91646b43378cf957388 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 3 Nov 2021 16:21:42 +1030
Subject: asan: dlltool buffer overflow: embedded NUL in string

yyleng gives the pattern length, xstrdup just copies up to the NUL.
So it is quite possible writing at an index of yyleng-2 overflows
the xstrdup allocated string buffer.  xmemdup quite handily avoids
this problem, even writing the terminating NUL over the trailing
quote.  Use it in ldlex.l too where we'd already had a report of this
problem and fixed it by hand, and to implement xmemdup0 in gas.

binutils/
	* deflex.l (single and double quote strings): Use xmemdup.
gas/
	* as.h (xmemdup0): Use xmemdup.
ld/
	PR 20906
	* ldlex.l (double quote string): Use xmemdup.
---
 ld/ldlex.l | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

(limited to 'ld/ldlex.l')

diff --git a/ld/ldlex.l b/ld/ldlex.l
index 6aeba6d..5db1e73 100644
--- a/ld/ldlex.l
+++ b/ld/ldlex.l
@@ -431,18 +431,10 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)*
 	}
 
 <SCRIPT,EXPRESSION,WILD,VERS_NODE,INPUTLIST>"\""[^\"]*"\"" {
-					/* No matter the state, quotes
-					   give what's inside.  */
-					bfd_size_type len;
-					yylval.name = xstrdup (yytext + 1);
-					/* PR ld/20906.  A corrupt input file
-					   can contain bogus strings.  */
-					len = strlen (yylval.name);
-					if (len > (bfd_size_type) yyleng - 2)
-					  len = yyleng - 2;
-					yylval.name[len] = 0;
-					return NAME;
-				}
+		/* No matter the state, quotes give what's inside.  */
+		yylval.name = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
+		return NAME;
+	}
 
 <SCRIPT,EXPRESSION,WILD,VERS_START,VERS_NODE,VERS_SCRIPT,INPUTLIST>"\n" {
 				lineno++; }
-- 
cgit v1.1