PR32560 stack-buffer-overflow at objdump disassemble_bytes

There's always someone pushing the boundaries.

	PR 32560
	* objdump.c (MAX_INSN_WIDTH): Define.
	(insn_width): Make it an unsigned long.
	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.

diff --git a/binutils/objdump.c b/binutils/objdump.c
index ecbe39e942e32ad34402096e886f15e6c2c3ba65..80044dea580227fba274b51bfc011fc18f660ae8 100644 (file)
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -117,7 +117,8 @@ static bool disassemble_all;                /* -D */
 static int disassemble_zeroes;         /* --disassemble-zeroes */
 static bool formats_info;              /* -i */
 int wide_output;                       /* -w */
-static int insn_width;                 /* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;       /* --insn-width */
 static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
 static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
 static int dump_debugging;             /* --debugging */
@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
        }
       else
        {
-         char buf[50];
+         char buf[MAX_INSN_WIDTH + 1];
          unsigned int bpc = 0;
          unsigned int pb = 0;
 
@@ -6070,8 +6071,9 @@ main (int argc, char **argv)
          break;
        case OPTION_INSN_WIDTH:
          insn_width = strtoul (optarg, NULL, 0);
-         if (insn_width <= 0)
-           fatal (_("error: instruction width must be positive"));
+         if (insn_width - 1 >= MAX_INSN_WIDTH)
+           fatal (_("error: instruction width must be in the range 1 to "
+                    XSTRING (MAX_INSN_WIDTH)));
          break;
        case OPTION_INLINES:
          unwind_inlines = true;