diff options
author | Alan Modra <amodra@gmail.com> | 2021-11-03 16:21:42 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2021-11-03 17:06:09 +1030 |
commit | 6ef4fa071e2c25b71e81a91646b43378cf957388 (patch) | |
tree | 334807cc63fe61af871283a11915462a4071e924 /ld/ldlex.l | |
parent | 3a275541049f295719782642fb8aa912b0a4a0d3 (diff) | |
download | gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.zip gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.gz gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.bz2 |
asan: dlltool buffer overflow: embedded NUL in string
yyleng gives the pattern length, xstrdup just copies up to the NUL.
So it is quite possible writing at an index of yyleng-2 overflows
the xstrdup allocated string buffer. xmemdup quite handily avoids
this problem, even writing the terminating NUL over the trailing
quote. Use it in ldlex.l too where we'd already had a report of this
problem and fixed it by hand, and to implement xmemdup0 in gas.
binutils/
* deflex.l (single and double quote strings): Use xmemdup.
gas/
* as.h (xmemdup0): Use xmemdup.
ld/
PR 20906
* ldlex.l (double quote string): Use xmemdup.
Diffstat (limited to 'ld/ldlex.l')
-rw-r--r-- | ld/ldlex.l | 16 |
1 files changed, 4 insertions, 12 deletions
@@ -431,18 +431,10 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)* } <SCRIPT,EXPRESSION,WILD,VERS_NODE,INPUTLIST>"\""[^\"]*"\"" { - /* No matter the state, quotes - give what's inside. */ - bfd_size_type len; - yylval.name = xstrdup (yytext + 1); - /* PR ld/20906. A corrupt input file - can contain bogus strings. */ - len = strlen (yylval.name); - if (len > (bfd_size_type) yyleng - 2) - len = yyleng - 2; - yylval.name[len] = 0; - return NAME; - } + /* No matter the state, quotes give what's inside. */ + yylval.name = xmemdup (yytext + 1, yyleng - 2, yyleng - 1); + return NAME; + } <SCRIPT,EXPRESSION,WILD,VERS_START,VERS_NODE,VERS_SCRIPT,INPUTLIST>"\n" { lineno++; } |