From: Alan Modra <amodra@gmail.com>
Date: Sun, 19 Apr 2026 22:08:06 +0000 (+0930)
Subject: gas: don't allow single quote to go past eol
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ac845df73237ba29cef128fbee5dafe1e74a72e;p=thirdparty%2Fbinutils-gdb.git

gas: don't allow single quote to go past eol

Fuzzers have found a testcase where expr() runs off the end of a strdup
buffer created in tc-i386.c check_Scc_OszcOperations.
printf '\"\000.insn EVEX  {scc='\''\000' > test.s

This patch fixes the overrun, and another parsing error that has
existed since commit 219deb70ce2c.  gas/testsuite/gas/mri/float.s
doesn't exercise that mri mode code path.

	* expr.c (operand): Don't increment input_line_pointer past
	end of line/statement when single quote appears at the end of
	a line.  Don't increment input_line_pointer before mri mode
	':' hex float.
---

diff --git a/gas/expr.c b/gas/expr.c
index 7108d7332c4..ec6cedf60d1 100644
--- a/gas/expr.c
+++ b/gas/expr.c
@@ -1063,7 +1063,9 @@ operand (expressionS *expressionP, enum expr_mode mode)
 	     character, parity errors and all, is taken as the value
 	     of the operand.  VERY KINKY.  */
 	  expressionP->X_op = O_constant;
-	  expressionP->X_add_number = *input_line_pointer++;
+	  expressionP->X_add_number = *input_line_pointer;
+	  if (!is_end_of_stmt (*input_line_pointer))
+	    input_line_pointer++;
 	  break;
 	}
 
@@ -1325,7 +1327,6 @@ operand (expressionS *expressionP, enum expr_mode mode)
       /* In MRI mode, this is a floating point constant represented
 	 using hexadecimal digits.  */
 
-      ++input_line_pointer;
       integer_constant (16, expressionP);
       break;