aboutsummaryrefslogtreecommitdiff
path: root/opcodes
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2019-12-19 15:38:39 +1030
committerAlan Modra <amodra@gmail.com>2019-12-19 15:38:39 +1030
commitf00901886d0acb7a4d4b177a5cabe8bd9ca2307b (patch)
tree5ed06c27df45ecc145c0562a7373db42b251bca5 /opcodes
parent9ad9b810c385c83242a3100fa986d174c83ffe10 (diff)
downloadgdb-f00901886d0acb7a4d4b177a5cabe8bd9ca2307b.zip
gdb-f00901886d0acb7a4d4b177a5cabe8bd9ca2307b.tar.gz
gdb-f00901886d0acb7a4d4b177a5cabe8bd9ca2307b.tar.bz2
vax decoding of indexed addressing mode
This patch prevents print_insn_mode recursing into another index mode byte, which if repeated enough times will overflow private.the_buffer and scribble over other memory. * vax-dis.c (print_insn_mode): Stop index mode recursion.
Diffstat (limited to 'opcodes')
-rw-r--r--opcodes/ChangeLog4
-rw-r--r--opcodes/vax-dis.c14
2 files changed, 16 insertions, 2 deletions
diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog
index 0ace940..49b94e3 100644
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@@ -1,3 +1,7 @@
+2019-12-19 Alan Modra <amodra@gmail.com>
+
+ * vax-dis.c (print_insn_mode): Stop index mode recursion.
+
2019-12-19 Dr N.W. Filardo <nwf20@cam.ac.uk>
PR 25277
diff --git a/opcodes/vax-dis.c b/opcodes/vax-dis.c
index 0b33141..f880015 100644
--- a/opcodes/vax-dis.c
+++ b/opcodes/vax-dis.c
@@ -240,8 +240,18 @@ print_insn_mode (const char *d,
(*info->fprintf_func) (info->stream, "$0x%x", mode);
break;
case 0x40: /* Index: base-addr[Rn] */
- p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
- (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+ {
+ unsigned char *q = p0 + 1;
+ unsigned char nextmode = NEXTBYTE (q);
+ if (nextmode < 0x60 || nextmode == 0x8f)
+ /* Literal, index, register, or immediate is invalid. In
+ particular don't recurse into another index mode which
+ might overflow the_buffer. */
+ (*info->fprintf_func) (info->stream, "[invalid base]");
+ else
+ p += print_insn_mode (d, size, p0 + 1, addr + 1, info);
+ (*info->fprintf_func) (info->stream, "[%s]", reg_names[reg]);
+ }
break;
case 0x50: /* Register: Rn */
(*info->fprintf_func) (info->stream, "%s", reg_names[reg]);