aboutsummaryrefslogtreecommitdiff
path: root/ld/ldlex.l
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2021-11-03 16:21:42 +1030
committerAlan Modra <amodra@gmail.com>2021-11-03 17:06:09 +1030
commit6ef4fa071e2c25b71e81a91646b43378cf957388 (patch)
tree334807cc63fe61af871283a11915462a4071e924 /ld/ldlex.l
parent3a275541049f295719782642fb8aa912b0a4a0d3 (diff)
downloadgdb-6ef4fa071e2c25b71e81a91646b43378cf957388.zip
gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.gz
gdb-6ef4fa071e2c25b71e81a91646b43378cf957388.tar.bz2
asan: dlltool buffer overflow: embedded NUL in string
yyleng gives the pattern length, xstrdup just copies up to the NUL. So it is quite possible writing at an index of yyleng-2 overflows the xstrdup allocated string buffer. xmemdup quite handily avoids this problem, even writing the terminating NUL over the trailing quote. Use it in ldlex.l too where we'd already had a report of this problem and fixed it by hand, and to implement xmemdup0 in gas. binutils/ * deflex.l (single and double quote strings): Use xmemdup. gas/ * as.h (xmemdup0): Use xmemdup. ld/ PR 20906 * ldlex.l (double quote string): Use xmemdup.
Diffstat (limited to 'ld/ldlex.l')
-rw-r--r--ld/ldlex.l16
1 files changed, 4 insertions, 12 deletions
diff --git a/ld/ldlex.l b/ld/ldlex.l
index 6aeba6d..5db1e73 100644
--- a/ld/ldlex.l
+++ b/ld/ldlex.l
@@ -431,18 +431,10 @@ V_IDENTIFIER [*?.$_a-zA-Z\[\]\-\!\^\\]([*?.$_a-zA-Z0-9\[\]\-\!\^\\]|::)*
}
<SCRIPT,EXPRESSION,WILD,VERS_NODE,INPUTLIST>"\""[^\"]*"\"" {
- /* No matter the state, quotes
- give what's inside. */
- bfd_size_type len;
- yylval.name = xstrdup (yytext + 1);
- /* PR ld/20906. A corrupt input file
- can contain bogus strings. */
- len = strlen (yylval.name);
- if (len > (bfd_size_type) yyleng - 2)
- len = yyleng - 2;
- yylval.name[len] = 0;
- return NAME;
- }
+ /* No matter the state, quotes give what's inside. */
+ yylval.name = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
+ return NAME;
+ }
<SCRIPT,EXPRESSION,WILD,VERS_START,VERS_NODE,VERS_SCRIPT,INPUTLIST>"\n" {
lineno++; }