diff options
author | Alan Modra <amodra@gmail.com> | 2021-11-03 16:21:42 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2021-11-03 17:06:09 +1030 |
commit | 6ef4fa071e2c25b71e81a91646b43378cf957388 (patch) | |
tree | 334807cc63fe61af871283a11915462a4071e924 /gas/as.h | |
parent | 3a275541049f295719782642fb8aa912b0a4a0d3 (diff) | |
download | gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.zip gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.gz gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.bz2 |
asan: dlltool buffer overflow: embedded NUL in string
yyleng gives the pattern length, xstrdup just copies up to the NUL.
So it is quite possible writing at an index of yyleng-2 overflows
the xstrdup allocated string buffer. xmemdup quite handily avoids
this problem, even writing the terminating NUL over the trailing
quote. Use it in ldlex.l too where we'd already had a report of this
problem and fixed it by hand, and to implement xmemdup0 in gas.
binutils/
* deflex.l (single and double quote strings): Use xmemdup.
gas/
* as.h (xmemdup0): Use xmemdup.
ld/
PR 20906
* ldlex.l (double quote string): Use xmemdup.
Diffstat (limited to 'gas/as.h')
-rw-r--r-- | gas/as.h | 4 |
1 files changed, 1 insertions, 3 deletions
@@ -484,9 +484,7 @@ void add_debug_prefix_map (const char *); static inline char * xmemdup0 (const char *in, size_t len) { - char *out = (char *) xmalloc (len + 1); - out[len] = 0; - return (char *) memcpy (out, in, len); + return xmemdup (in, len, len + 1); } struct expressionS; |