From 6ef4fa071e2c25b71e81a91646b43378cf957388 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 3 Nov 2021 16:21:42 +1030
Subject: asan: dlltool buffer overflow: embedded NUL in string

yyleng gives the pattern length, xstrdup just copies up to the NUL.
So it is quite possible writing at an index of yyleng-2 overflows
the xstrdup allocated string buffer.  xmemdup quite handily avoids
this problem, even writing the terminating NUL over the trailing
quote.  Use it in ldlex.l too where we'd already had a report of this
problem and fixed it by hand, and to implement xmemdup0 in gas.

binutils/
	* deflex.l (single and double quote strings): Use xmemdup.
gas/
	* as.h (xmemdup0): Use xmemdup.
ld/
	PR 20906
	* ldlex.l (double quote string): Use xmemdup.
---
 binutils/deflex.l | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'binutils/deflex.l')

diff --git a/binutils/deflex.l b/binutils/deflex.l
index 1f3ba65..def908c 100644
--- a/binutils/deflex.l
+++ b/binutils/deflex.l
@@ -69,14 +69,12 @@ int linenumber;
 		}
 
 "\""[^\"]*"\"" {
-		yylval.id = xstrdup (yytext+1);
-		yylval.id[yyleng-2] = 0;
+		yylval.id = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
 		return ID;
 		}
 
 "\'"[^\']*"\'" {
-		yylval.id = xstrdup (yytext+1);
-		yylval.id[yyleng-2] = 0;
+		yylval.id = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
 		return ID;
 		}
 "*".* 		{ }
-- 
cgit v1.1