Toolchain/binutils-gdb
1
0
Fork 0
forked from Imagelibrary/binutils-gdb
Code Pull Requests Activity

asan: dlltool buffer overflow: embedded NUL in string

Browse Source 
yyleng gives the pattern length, xstrdup just copies up to the NUL.
So it is quite possible writing at an index of yyleng-2 overflows
the xstrdup allocated string buffer.  xmemdup quite handily avoids
this problem, even writing the terminating NUL over the trailing
quote.  Use it in ldlex.l too where we'd already had a report of this
problem and fixed it by hand, and to implement xmemdup0 in gas.

binutils/
	* deflex.l (single and double quote strings): Use xmemdup.
gas/
	* as.h (xmemdup0): Use xmemdup.
ld/
	PR 20906
	* ldlex.l (double quote string): Use xmemdup.
This commit is contained in:
Alan Modra
2021-11-03 16:21:42 +10:30
parent 3a27554104
commit 6ef4fa071e
3 changed files with 7 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
binutils/deflex.l
View File

@@ -69,14 +69,12 @@ int linenumber;
}
"\""[^\"]*"\"" {
yylval.id = xstrdup (yytext+1);
yylval.id[yyleng-2] = 0;
yylval.id = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
return ID;
}
"\'"[^\']*"\'" {
yylval.id = xstrdup (yytext+1);
yylval.id[yyleng-2] = 0;
yylval.id = xmemdup (yytext + 1, yyleng - 2, yyleng - 1);
return ID;
}
"*".* { }