Re: [PATCH v2] rs6000: Avoid buffer overruns

[Segher Boessenkool]

Hi!

On Thu, Aug 19, 2021 at 04:40:42PM -0500, Bill Schmidt wrote:
> I totally biffed the previous version of this patch, as it was built
> against an experimental tree instead of trunk.  Trying again...
> 
> Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c,
> there are some other routines where we fail to detect the possibility.
> Clean those up!  (Also, safe_inc_pos is not quite right itself.)

>   PR target/101830
>   * config/rs6000/rs6000-gen-builtins.c (consume_whitespace):
>   Diagnose buffer overrun.

Please don't break changelog lines unnecessary.

>   (safe_inc_pos): Fix overrun detection.
>   (match_identifier): Diagnose buffer overrun.
>   (match_integer): Likewise.
>   (match_to_right_bracket): Likewise.

Okay for trunk.  Thanks!


Segher

[PATCH v2] rs6000: Avoid buffer overruns

[Bill Schmidt via Gcc-patches]

Hi,

I totally biffed the previous version of this patch, as it was built
against an experimental tree instead of trunk.  Trying again...

Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c,
there are some other routines where we fail to detect the possibility.
Clean those up!  (Also, safe_inc_pos is not quite right itself.)

Bootstrapped and tested on powerpc64le-linux-gnu, this time without
some unsubmitted patches in the way.  Is this OK for trunk?

Thanks,
Bill


2021-08-19  Bill Schmidt  

gcc/
PR target/101830
* config/rs6000/rs6000-gen-builtins.c (consume_whitespace):
Diagnose buffer overrun.
(safe_inc_pos): Fix overrun detection.
(match_identifier): Diagnose buffer overrun.
(match_integer): Likewise.
(match_to_right_bracket): Likewise.
---
 gcc/config/rs6000/rs6000-gen-builtins.c | 34 ++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c 
b/gcc/config/rs6000/rs6000-gen-builtins.c
index e5d3b71b622..05b2d2939b5 100644
--- a/gcc/config/rs6000/rs6000-gen-builtins.c
+++ b/gcc/config/rs6000/rs6000-gen-builtins.c
@@ -597,6 +597,13 @@ consume_whitespace (void)
 {
   while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n')
 pos++;
+
+  if (pos >= LINELEN)
+{
+  diag ("line length overrun at %d.\n", pos);
+  exit (1);
+}
+
   return;
 }
 
@@ -623,7 +630,7 @@ advance_line (FILE *file)

 static inline void
 safe_inc_pos (void)
 {
-  if (pos++ >= LINELEN)
+  if (++pos >= LINELEN)
 {
   (*diag) ("line length overrun.\n");
   exit (1);
@@ -636,9 +643,16 @@ static char *
 match_identifier (void)
 {
   int lastpos = pos - 1;
-  while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')
+  while (lastpos < LINELEN - 1
+&& (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_'))
 ++lastpos;
 
+  if (lastpos >= LINELEN - 1)

+{
+  diag ("line length overrun at %d.\n", lastpos);
+  exit (1);
+}
+
   if (lastpos < pos)
 return 0;
 
@@ -660,9 +674,15 @@ match_integer (void)

 safe_inc_pos ();
 
   int lastpos = pos - 1;

-  while (isdigit (linebuf[lastpos + 1]))
+  while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1]))
 ++lastpos;
 
+  if (lastpos >= LINELEN - 1)

+{
+  diag ("line length overrun at %d.\n", lastpos);
+  exit (1);
+}
+
   if (lastpos < pos)
 return NULL;
 
@@ -680,7 +700,7 @@ static const char *

 match_to_right_bracket (void)
 {
   int lastpos = pos - 1;
-  while (linebuf[lastpos + 1] != ']')
+  while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']')
 {
   if (linebuf[lastpos + 1] == '\n')
{
@@ -690,6 +710,12 @@ match_to_right_bracket (void)
   ++lastpos;
 }
 
+  if (lastpos >= LINELEN - 1)

+{
+  diag ("line length overrun at %d.\n", lastpos);
+  exit (1);
+}
+
   if (lastpos < pos)
 return 0;
 
--

2.27.0