diff options
| author | Alan Modra <amodra@gmail.com> | 2017-11-05 19:52:13 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2017-11-05 21:48:08 +1030 |
| commit | 26a9301057457ae576b51b8127bb805b4e484a6b (patch) | |
| tree | 02daecfaef5312504b4e5ac4c2ed374be6309a63 /bfd/bfd.c | |
| parent | 7167fe4c70ea74f1bb74a6130bb7e6bf5ca354ee (diff) | |
| download | gdb-26a9301057457ae576b51b8127bb805b4e484a6b.zip gdb-26a9301057457ae576b51b8127bb805b4e484a6b.tar.gz gdb-26a9301057457ae576b51b8127bb805b4e484a6b.tar.bz2 | |
Proper bound check in _bfd_doprnt_scan
While an abort after storing out of bounds by one to an array in our
caller is probably OK in practice, it's better to check before storing.
PR 22397
* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
after.
Diffstat (limited to 'bfd/bfd.c')
| -rw-r--r-- | bfd/bfd.c | 12 |
1 files changed, 6 insertions, 6 deletions
@@ -974,10 +974,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) arg_index = *ptr - '1'; ptr += 2; } + if (arg_index >= 9) + abort (); args[arg_index].type = Int; arg_count++; - if (arg_count > 9) - abort (); } else /* Handle explicit numeric value. */ @@ -999,10 +999,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) arg_index = *ptr - '1'; ptr += 2; } + if (arg_index >= 9) + abort (); args[arg_index].type = Int; arg_count++; - if (arg_count > 9) - abort (); } else /* Handle explicit numeric value. */ @@ -1032,6 +1032,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) if ((int) arg_no < 0) arg_no = arg_count; + if (arg_no >= 9) + abort (); switch (ptr[-1]) { case 'd': @@ -1100,8 +1102,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) abort(); } arg_count++; - if (arg_count > 9) - abort (); } } |