diff options
| author | Jakub Jelinek <jakub@redhat.com> | 2020-01-28 08:44:07 +0100 |
|---|---|---|
| committer | Jakub Jelinek <jakub@redhat.com> | 2020-01-28 08:44:07 +0100 |
| commit | 3c076c9642fd8877def0a0597ec7e4adfb5aa3b3 (patch) | |
| tree | 199493ac71d414ed3c771e3672533ebae48b35a7 /gcc/gimple-fold.c | |
| parent | 8c08c983015e675f555d57a30e15d918abef2b93 (diff) | |
| download | gcc-3c076c9642fd8877def0a0597ec7e4adfb5aa3b3.zip gcc-3c076c9642fd8877def0a0597ec7e4adfb5aa3b3.tar.gz gcc-3c076c9642fd8877def0a0597ec7e4adfb5aa3b3.tar.bz2 | |
gimple-fold: Fix buffer overflow in fold_array_ctor_reference [PR93454]
libgcrypt FAILs to build on aarch64-linux with
*** stack smashing detected ***: terminated
when gcc is compiled with -D_FORTIFY_SOURCE=2. The problem is if
fold_array_ctor_reference is called with size equal to or very close to
MAX_BITSIZE_MODE_ANY_MODE bits and non-zero inner_offset.
The first native_encode_expr is called with that inner_offset and bufoff 0,
the subsequent ones with offset of 0, and bufoff elt_size - inner_offset,
2 * elt_size - inner_offset etc. So, e.g. on the testcase where we start
with inner_offset 1 and size is e.g. 256 bytes and elt_size 4 bytes
we then call native_encode_expr at bufoff 251 and then 255, but that one
overwrites 3 bytes beyond the buf array.
The following patch fixes that. In addition, it avoids calling
elt_size.to_uhwi () all the time, and punts if elt_sz would be too large.
2020-01-28 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/93454
* gimple-fold.c (fold_array_ctor_reference): Perform
elt_size.to_uhwi () just once, instead of calling it in every
iteration. Punt if that value is above size of the temporary
buffer. Decrease third native_encode_expr argument when
bufoff + elt_sz is above size of buf.
* gcc.dg/pr93454.c: New test.
Diffstat (limited to 'gcc/gimple-fold.c')
| -rw-r--r-- | gcc/gimple-fold.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/gcc/gimple-fold.c b/gcc/gimple-fold.c index 569f91e..ed22592 100644 --- a/gcc/gimple-fold.c +++ b/gcc/gimple-fold.c @@ -6665,12 +6665,14 @@ fold_array_ctor_reference (tree type, tree ctor, /* And offset within the access. */ inner_offset = offset % (elt_size.to_uhwi () * BITS_PER_UNIT); - if (size > elt_size.to_uhwi () * BITS_PER_UNIT) + unsigned HOST_WIDE_INT elt_sz = elt_size.to_uhwi (); + if (size > elt_sz * BITS_PER_UNIT) { /* native_encode_expr constraints. */ if (size > MAX_BITSIZE_MODE_ANY_MODE || size % BITS_PER_UNIT != 0 - || inner_offset % BITS_PER_UNIT != 0) + || inner_offset % BITS_PER_UNIT != 0 + || elt_sz > MAX_BITSIZE_MODE_ANY_MODE / BITS_PER_UNIT) return NULL_TREE; unsigned ctor_idx; @@ -6701,10 +6703,11 @@ fold_array_ctor_reference (tree type, tree ctor, index = wi::umax (index, access_index); do { - int len = native_encode_expr (val, buf + bufoff, - elt_size.to_uhwi (), + if (bufoff + elt_sz > sizeof (buf)) + elt_sz = sizeof (buf) - bufoff; + int len = native_encode_expr (val, buf + bufoff, elt_sz, inner_offset / BITS_PER_UNIT); - if (len != elt_size - inner_offset / BITS_PER_UNIT) + if (len != (int) elt_sz - inner_offset / BITS_PER_UNIT) return NULL_TREE; inner_offset = 0; bufoff += len; |