Commit: Fix buffer overrun in TIC30 disassembler

Message ID 87mudkn8x4.fsf@redhat.com
State New
Headers show
Series
  • Commit: Fix buffer overrun in TIC30 disassembler
Related show

Commit Message

Nick Clifton Oct. 28, 2019, 4:15 p.m.
Hi Guys,

  I am applying the patch below to fix a buffer overrun bug in the TIC30
  disassembler.

Cheers
  Nick

opcodes/ChangeLog
2019-10-28  Nick Clifton  <nickc@redhat.com>

	* tic30-dis.c (OPERAND_BUFFER_LEN): Define.  Use as length of
	operand buffer.  Set value to 15 not 13.
	(get_register_operand): Use OPERAND_BUFFER_LEN.
	(get_indirect_operand): Likewise.
	(print_two_operand): Likewise.
	(print_three_operand): Likewise.
	(print_oar_insn): Likewise.

Patch

diff --git a/opcodes/tic30-dis.c b/opcodes/tic30-dis.c
index 668c519df8..a28be8307f 100644
--- a/opcodes/tic30-dis.c
+++ b/opcodes/tic30-dis.c
@@ -188,6 +188,8 @@  get_tic30_instruction (unsigned long insn_word, struct instruction *insn)
   return 1;
 }
 
+#define OPERAND_BUFFER_LEN 15
+
 static int
 get_register_operand (unsigned char fragment, char *buffer)
 {
@@ -199,7 +201,8 @@  get_register_operand (unsigned char fragment, char *buffer)
     {
       if ((fragment & 0x1F) == current_reg->opcode)
 	{
-	  strcpy (buffer, current_reg->name);
+	  strncpy (buffer, current_reg->name, OPERAND_BUFFER_LEN);
+	  buffer[OPERAND_BUFFER_LEN - 1] = 0;
 	  return 1;
 	}
     }
@@ -250,18 +253,25 @@  get_indirect_operand (unsigned short fragment,
 		int bufcnt;
 
 		len = strlen (current_ind->syntax);
+
 		for (i = 0, bufcnt = 0; i < len; i++, bufcnt++)
 		  {
 		    buffer[bufcnt] = current_ind->syntax[i];
+
 		    if (bufcnt > 0
+			&& bufcnt < OPERAND_BUFFER_LEN - 1
 			&& buffer[bufcnt - 1] == 'a'
 			&& buffer[bufcnt] == 'r')
 		      buffer[++bufcnt] = arnum + '0';
-		    if (buffer[bufcnt] == '('
+		    
+		    if (bufcnt < OPERAND_BUFFER_LEN - 1
+			&& buffer[bufcnt] == '('
 			&& current_ind->displacement == DISP_REQUIRED)
 		      {
-			sprintf (&buffer[bufcnt + 1], "%u", disp);
-			bufcnt += strlen (&buffer[bufcnt + 1]);
+			snprintf (buffer + (bufcnt + 1),
+				 OPERAND_BUFFER_LEN - (bufcnt + 1),
+				 "%u", disp);
+			bufcnt += strlen (buffer + (bufcnt + 1));
 		      }
 		  }
 		buffer[bufcnt + 1] = '\0';
@@ -342,7 +352,7 @@  print_two_operand (disassemble_info *info,
 		   struct instruction *insn)
 {
   char name[12];
-  char operand[2][13] =
+  char operand[2][OPERAND_BUFFER_LEN] =
   {
     {0},
     {0}
@@ -429,7 +439,7 @@  print_three_operand (disassemble_info *info,
 		     unsigned long insn_word,
 		     struct instruction *insn)
 {
-  char operand[3][13] =
+  char operand[3][OPERAND_BUFFER_LEN] =
   {
     {0},
     {0},
@@ -475,7 +485,7 @@  print_par_insn (disassemble_info *info,
 {
   size_t i, len;
   char *name1, *name2;
-  char operand[2][3][13] =
+  char operand[2][3][OPERAND_BUFFER_LEN] =
   {
     {
       {0},