From 1c529385d9d7f53efa541d9701ec8c1001581e3e Mon Sep 17 00:00:00 2001 From: Li Hao Date: Fri, 15 Mar 2019 11:58:05 +0000 Subject: [PATCH] Fix a potential illegal memory access whilt parsing an x86 insn. PR 24308 * config/tc-i386.c (parse_insn): Check mnemp before using it to determine if a suffix can be trimmed. --- gas/ChangeLog | 6 ++++ gas/config/tc-i386.c | 68 +++++++++++++++++++++++--------------------- 2 files changed, 42 insertions(+), 32 deletions(-) diff --git a/gas/ChangeLog b/gas/ChangeLog index d08c09647c6..bf0c1710011 100644 --- a/gas/ChangeLog +++ b/gas/ChangeLog @@ -1,3 +1,9 @@ +2019-03-15 Li Hao + + PR 24308 + * config/tc-i386.c (parse_insn): Check mnemp before using it to + determine if a suffix can be trimmed. + 2019-03-13 Christian Eggers * dwarf2dbg.c (out_set_addr): Align relocation within .debug_line. diff --git a/gas/config/tc-i386.c b/gas/config/tc-i386.c index d31ee6abdd0..1b1b0a95da8 100644 --- a/gas/config/tc-i386.c +++ b/gas/config/tc-i386.c @@ -4561,46 +4561,50 @@ parse_insn (char *line, char *mnemonic) if (!current_templates) { check_suffix: - /* See if we can get a match by trimming off a suffix. */ - switch (mnem_p[-1]) + if (mnem_p > mnemonic) { - case WORD_MNEM_SUFFIX: - if (intel_syntax && (intel_float_operand (mnemonic) & 2)) - i.suffix = SHORT_MNEM_SUFFIX; - else - /* Fall through. */ - case BYTE_MNEM_SUFFIX: - case QWORD_MNEM_SUFFIX: - i.suffix = mnem_p[-1]; - mnem_p[-1] = '\0'; - current_templates = (const templates *) hash_find (op_hash, - mnemonic); - break; - case SHORT_MNEM_SUFFIX: - case LONG_MNEM_SUFFIX: - if (!intel_syntax) + /* See if we can get a match by trimming off a suffix. */ + switch (mnem_p[-1]) { - i.suffix = mnem_p[-1]; - mnem_p[-1] = '\0'; - current_templates = (const templates *) hash_find (op_hash, - mnemonic); - } - break; - - /* Intel Syntax. */ - case 'd': - if (intel_syntax) - { - if (intel_float_operand (mnemonic) == 1) + case WORD_MNEM_SUFFIX: + if (intel_syntax && (intel_float_operand (mnemonic) & 2)) i.suffix = SHORT_MNEM_SUFFIX; else - i.suffix = LONG_MNEM_SUFFIX; + /* Fall through. */ + case BYTE_MNEM_SUFFIX: + case QWORD_MNEM_SUFFIX: + i.suffix = mnem_p[-1]; mnem_p[-1] = '\0'; current_templates = (const templates *) hash_find (op_hash, - mnemonic); + mnemonic); + break; + case SHORT_MNEM_SUFFIX: + case LONG_MNEM_SUFFIX: + if (!intel_syntax) + { + i.suffix = mnem_p[-1]; + mnem_p[-1] = '\0'; + current_templates = (const templates *) hash_find (op_hash, + mnemonic); + } + break; + + /* Intel Syntax. */ + case 'd': + if (intel_syntax) + { + if (intel_float_operand (mnemonic) == 1) + i.suffix = SHORT_MNEM_SUFFIX; + else + i.suffix = LONG_MNEM_SUFFIX; + mnem_p[-1] = '\0'; + current_templates = (const templates *) hash_find (op_hash, + mnemonic); + } + break; } - break; } + if (!current_templates) { as_bad (_("no such instruction: `%s'"), token_start);