[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24961] New: Buffer off by one under read in get_indirect_o
From: |
p.antoine at catenacyber dot fr |
Subject: |
[Bug binutils/24961] New: Buffer off by one under read in get_indirect_operand for tic30 |
Date: |
Tue, 03 Sep 2019 13:38:02 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24961
Bug ID: 24961
Summary: Buffer off by one under read in get_indirect_operand
for tic30
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: p.antoine at catenacyber dot fr
Target Milestone: ---
Binutils is version from commit 217d2eaa69c2a5d58cdfd11619c4f2e41c986826
I have been fuzzing binutils disassembler, you can find the fuzz target here
https://github.com/google/oss-fuzz/pull/2617
Bug is in
```
for (i = 0, bufcnt = 0; i < len; i++, bufcnt++)
{
buffer[bufcnt] = current_ind->syntax[i];
if (buffer[bufcnt - 1] == 'a' && buffer[bufcnt] == 'r')
```
buffer[bufcnt - 1] should not be accessed on first iteration
Patch coud simply be
```
diff --git a/opcodes/tic30-dis.c b/opcodes/tic30-dis.c
index c64aceb2..29ca775c 100644
--- a/opcodes/tic30-dis.c
+++ b/opcodes/tic30-dis.c
@@ -253,7 +253,7 @@ get_indirect_operand (unsigned short fragment,
for (i = 0, bufcnt = 0; i < len; i++, bufcnt++)
{
buffer[bufcnt] = current_ind->syntax[i];
- if (buffer[bufcnt - 1] == 'a' && buffer[bufcnt] == 'r')
+ if (bufcnt > 0 && buffer[bufcnt - 1] == 'a' &&
buffer[bufcnt] == 'r')
buffer[++bufcnt] = arnum + '0';
if (buffer[bufcnt] == '('
&& current_ind->displacement == DISP_REQUIRED)
```
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24961] New: Buffer off by one under read in get_indirect_operand for tic30,
p.antoine at catenacyber dot fr <=