ARM's *push_multi pattern code implementation can result in a buffer overflow.
The assembler instruction gets there built up in a 100 byte buffer but worst
case more buffer space is needed.
Original code:
--8<--
{
int i;
char pattern[100];
if (TARGET_ARM)
strcpy (pattern, \"stmfd\\t%m0!, {%1\");
else
strcpy (pattern, \"push\\t{%1\");
for (i = 1; i < num_saves; i++)
{
strcat (pattern, \", %|\");
strcat (pattern,
reg_names[REGNO (XEXP (XVECEXP (operands[2], 0, i), 0))]);
}
strcat (pattern, \"}\");
output_asm_insn (pattern, operands);
}
--8<--
Worst case scenario is when num_saves = 16 and TARGET_ARM which requires:
"stmfd\t%m0!, {%1" = 15 bytes
", %|" = 4 * (num_saves - 1) bytes
regname = 2 * (num_saves - 1) bytes
"}" = 1 byte
"\0" = 1 byte
In total 107 bytes. Hence, this patch:
gcc\
John Tytgat <john.tyt...@aaug.net>
* config/arm/arm.md (*push_multi): Increase pattern buffer size.
--- config/arm/arm.md (revision 162411)
+++ config/arm/arm.md (working copy)
@@ -10950,12 +10950,12 @@
else
{
int i;
- char pattern[100];
+ char pattern[128];
if (TARGET_ARM)
- strcpy (pattern, \"stmfd\\t%m0!, {%1\");
+ strcpy (pattern, \"stmfd\\t%m0!, {%1\");
else
- strcpy (pattern, \"push\\t{%1\");
+ strcpy (pattern, \"push\\t{%1\");
for (i = 1; i < num_saves; i++)
{
--
Summary: Buffer overflow in *push_multi pattern
Product: gcc
Version: 4.6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: John dot Tytgat at aaug dot net
GCC build triplet: x86_64-unknown-linux-gnu
GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: arm-unknown-riscos
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=45029
