From a20c9955779aa788f3b7433b8a9eddddbed9b1cb Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sun, 18 May 2025 19:40:34 +0930
Subject: [PATCH] ubsan: integer overflow in s_fill

Silence ubsan warning.  We don't worry about wrap-around in most
places that adjust abs_section_offset, so don't fuss over an overflow
in the multiplication here.

	* read.c (s_fill): Replace "long" vars with offsetT and valueT.
	Avoid signed overflow calculating abs_section_offset.
---
 gas/read.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gas/read.c b/gas/read.c
index 2691f31c4ad..eaa1300ff96 100644
--- a/gas/read.c
+++ b/gas/read.c
@@ -2263,8 +2263,8 @@ void
 s_fill (int ignore ATTRIBUTE_UNUSED)
 {
   expressionS rep_exp;
-  long size = 1;
-  long fill = 0;
+  offsetT size = 1;
+  valueT fill = 0;
   char *p;
 
 #ifdef md_flush_pending_output
@@ -2330,7 +2330,7 @@ s_fill (int ignore ATTRIBUTE_UNUSED)
   if (size && !need_pass_2)
     {
       if (now_seg == absolute_section)
-	abs_section_offset += rep_exp.X_add_number * size;
+	abs_section_offset += (valueT) rep_exp.X_add_number * size;
 
       if (rep_exp.X_op == O_constant)
 	{
@@ -2373,7 +2373,7 @@ s_fill (int ignore ATTRIBUTE_UNUSED)
 	 bytes from a 4-byte expression and they forgot to sign
 	 extend.  */
 #define BSD_FILL_SIZE_CROCK_4 (4)
-      md_number_to_chars (p, (valueT) fill,
+      md_number_to_chars (p, fill,
 			  (size > BSD_FILL_SIZE_CROCK_4
 			   ? BSD_FILL_SIZE_CROCK_4
 			   : (int) size));
-- 
2.39.5