[PATCH] rs6000: Avoid buffer overruns

Thu, 12 Aug 2021 13:29:34 -0700 

Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c,
there are some other routines where we fail to detect the possibility.
Clean those up!

Regstrap in progress on powerpc64le-linux-gnu.  OK for trunk if that
passes?

Thanks,
Bill

2021-08-12  Bill Schmidt  <wschm...@linux.ibm.com>

gcc/
        * config/rs6000/rs6000-gen-builtins.c (consume_whitespace):
        Diagnose buffer overrun.
        (match_identifier): Likewise.
        (match_integer): Likewise.
        (match_to_right_bracket): Likewise.
---
 gcc/config/rs6000/rs6000-gen-builtins.c | 32 ++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c 
b/gcc/config/rs6000/rs6000-gen-builtins.c
index 22902c37d55..ff8872c59e4 100644
--- a/gcc/config/rs6000/rs6000-gen-builtins.c
+++ b/gcc/config/rs6000/rs6000-gen-builtins.c
@@ -638,6 +638,13 @@ consume_whitespace (void)
 {
   while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n')
     pos++;
+
+  if (pos >= LINELEN)
+    {
+      diag (pos, "line length overrun.\n");
+      exit (1);
+    }
+
   return;
 }
 
@@ -697,9 +704,16 @@ static char *
 match_identifier (void)
 {
   int lastpos = pos - 1;
-  while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')
+  while (lastpos < LINELEN - 1
+        && (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_'))
     ++lastpos;
 
+  if (lastpos >= LINELEN - 1)
+    {
+      diag (lastpos, "line length overrun.\n");
+      exit (1);
+    }
+
   if (lastpos < pos)
     return 0;
 
@@ -721,9 +735,15 @@ match_integer (void)
     safe_inc_pos ();
 
   int lastpos = pos - 1;
-  while (isdigit (linebuf[lastpos + 1]))
+  while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1]))
     ++lastpos;
 
+  if (lastpos >= LINELEN - 1)
+    {
+      diag (lastpos, "line length overrun.\n");
+      exit (1);
+    }
+
   if (lastpos < pos)
     return NULL;
 
@@ -741,13 +761,19 @@ static const char *
 match_to_right_bracket (void)
 {
   int lastpos = pos - 1;
-  while (linebuf[lastpos + 1] != ']')
+  while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']')
     {
       if (linebuf[lastpos + 1] == '\n')
        fatal ("no ']' found before end of line.\n");
       ++lastpos;
     }
 
+  if (lastpos >= LINELEN - 1)
+    {
+      diag (lastpos, "line length overrun.\n");
+      exit (1);
+    }
+
   if (lastpos < pos)
     return 0;
 
-- 
2.27.0

Reply via email to