diff options
| author | Alan Modra <amodra@gmail.com> | 2017-02-11 17:17:59 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2017-02-11 17:51:09 +1030 |
| commit | b5a9a921e9780ee6dd8952382244213b105bbad4 (patch) | |
| tree | bad5aa344f54dde5a148445a17a2199773f68519 | |
| parent | 3fab3d160c59d3564090997ec19bc2263ee5f76d (diff) | |
| download | gdb-b5a9a921e9780ee6dd8952382244213b105bbad4.zip gdb-b5a9a921e9780ee6dd8952382244213b105bbad4.tar.gz gdb-b5a9a921e9780ee6dd8952382244213b105bbad4.tar.bz2 | |
Fix use after free in cgen instruction lookup
* cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps.
Use insn_bytes_value and insn_int_value directly instead. Don't
free allocated memory until function exit.
| -rw-r--r-- | opcodes/ChangeLog | 7 | ||||
| -rw-r--r-- | opcodes/cgen-opc.c | 28 |
2 files changed, 20 insertions, 15 deletions
diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog index 21e19bc..d096ce1 100644 --- a/opcodes/ChangeLog +++ b/opcodes/ChangeLog @@ -1,3 +1,10 @@ +2017-02-11 Stafford Horne <shorne@gmail.com> + Alan Modra <amodra@gmail.com> + + * cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps. + Use insn_bytes_value and insn_int_value directly instead. Don't + free allocated memory until function exit. + 2017-02-10 Nicholas Piggin <npiggin@gmail.com> * ppc-opc.c (powerpc_opcodes) <scv, rfscv>: New mnemonics. diff --git a/opcodes/cgen-opc.c b/opcodes/cgen-opc.c index 72b4f05..4299db3 100644 --- a/opcodes/cgen-opc.c +++ b/opcodes/cgen-opc.c @@ -452,18 +452,14 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, CGEN_FIELDS *fields, int alias_p) { - unsigned char *buf; - CGEN_INSN_INT base_insn; CGEN_EXTRACT_INFO ex_info; CGEN_EXTRACT_INFO *info; if (cd->int_insn_p) { info = NULL; - buf = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8); - cgen_put_insn_value (cd, buf, length, insn_int_value); - base_insn = insn_int_value; - free (buf); + insn_bytes_value = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8); + cgen_put_insn_value (cd, insn_bytes_value, length, insn_int_value); } else { @@ -471,8 +467,7 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, ex_info.dis_info = NULL; ex_info.insn_bytes = insn_bytes_value; ex_info.valid = -1; - buf = insn_bytes_value; - base_insn = cgen_get_insn_value (cd, buf, length); + insn_int_value = cgen_get_insn_value (cd, insn_bytes_value, length); } if (!insn) @@ -482,7 +477,8 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* The instructions are stored in hash lists. Pick the first one and keep trying until we find the right one. */ - insn_list = cgen_dis_lookup_insn (cd, (char *) buf, base_insn); + insn_list = cgen_dis_lookup_insn (cd, (char *) insn_bytes_value, + insn_int_value); while (insn_list != NULL) { insn = insn_list->insn; @@ -494,18 +490,18 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* Basic bit mask must be correct. */ /* ??? May wish to allow target to defer this check until the extract handler. */ - if ((base_insn & CGEN_INSN_BASE_MASK (insn)) + if ((insn_int_value & CGEN_INSN_BASE_MASK (insn)) == CGEN_INSN_BASE_VALUE (insn)) { /* ??? 0 is passed for `pc' */ int elength = CGEN_EXTRACT_FN (cd, insn) - (cd, insn, info, base_insn, fields, (bfd_vma) 0); + (cd, insn, info, insn_int_value, fields, (bfd_vma) 0); if (elength > 0) { /* sanity check */ if (length != 0 && length != elength) abort (); - return insn; + break; } } } @@ -525,15 +521,17 @@ cgen_lookup_insn (CGEN_CPU_DESC cd, /* ??? 0 is passed for `pc' */ length = CGEN_EXTRACT_FN (cd, insn) - (cd, insn, info, base_insn, fields, (bfd_vma) 0); + (cd, insn, info, insn_int_value, fields, (bfd_vma) 0); /* Sanity check: must succeed. Could relax this later if it ever proves useful. */ if (length == 0) abort (); - return insn; } - return NULL; + if (cd->int_insn_p) + free (insn_bytes_value); + + return insn; } /* Fill in the operand instances used by INSN whose operands are FIELDS. |