buffer overflow in gas/app.c

This testcase:
 .irp x x x "
 .end #
 .endr
manages to access lex[EOF].

xxx: Warning: end of file in string; '"' inserted
xxx:1: Warning: missing closing `"'
gas/app.c:844:16: runtime error: index -1 out of bounds for type 'char [256]
Following that there is a buffer overflow.

Stop this happening, and in other similar places, by checking for EOF.

diff --git a/gas/app.c b/gas/app.c
index 8dc69ff4ce04e61866104f0716a232126318ec4c..20b41209f94651d6abb2271cade9abe39d6b4457 100644 (file)
--- a/gas/app.c
+++ b/gas/app.c
@@ -820,7 +820,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen,
 
       /* We need to watch out for .end directives: We should in particular not
         issue diagnostics for anything after an active one.  */
-      if (end_state == NULL)
+      if (ch == EOF)
+       end_state = NULL;
+      else if (end_state == NULL)
        {
          if ((state == 0 || state == 1)
              && (ch == '.'
@@ -858,7 +860,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen,
 #if defined TC_ARM && defined OBJ_ELF
       /* We need to watch out for .symver directives.  See the comment later
         in this function.  */
-      if (symver_state == NULL)
+      if (ch == EOF)
+       symver_state = NULL;
+      else if (symver_state == NULL)
        {
          if ((state == 0 || state == 1)
              && strchr (tc_comment_chars, '@') != NULL
@@ -891,7 +895,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen,
         MRI mode or not.  Unfortunately, since m68k MRI mode affects
         the scrubber, that means that we need a special purpose
         recognizer here.  */
-      if (mri_state == NULL)
+      if (ch == EOF)
+       mri_state = NULL;
+      else if (mri_state == NULL)
        {
          if ((state == 0 || state == 1)
              && ch == mri_pseudo[0])
@@ -927,7 +933,7 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen,
            }
          else
            {
-             /* We've read the entire pseudo-op.  mips_last_ch is
+             /* We've read the entire pseudo-op.  mri_last_ch is
                 either '0' or '1' indicating whether to enter or
                 leave MRI mode.  */
              do_scrub_begin (mri_last_ch == '1');