From d6b67f5774b1f320ee1e6f26e47c49ace651d0a7 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sun, 5 Nov 2017 19:52:13 +1030 Subject: [PATCH] Proper bound check in _bfd_doprnt_scan While an abort after storing out of bounds by one to an array in our caller is probably OK in practice, it's better to check before storing. PR 22397 * bfd.c (_bfd_doprnt_scan): Check args index before storing, not after. (cherry picked from commit 26a9301057457ae576b51b8127bb805b4e484a6b) --- bfd/ChangeLog | 6 ++++++ bfd/bfd.c | 12 ++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 3ddb1dce736..4ad3675763a 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2017-11-05 Alan Modra + + PR 22397 + * bfd.c (_bfd_doprnt_scan): Check args index before storing, not + after. + 2017-11-05 Alan Modra PR 22397 diff --git a/bfd/bfd.c b/bfd/bfd.c index 0bec897240c..3e882297e02 100644 --- a/bfd/bfd.c +++ b/bfd/bfd.c @@ -959,10 +959,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) arg_index = *ptr - '1'; ptr += 2; } + if (arg_index >= 9) + abort (); args[arg_index].type = Int; arg_count++; - if (arg_count > 9) - abort (); } else /* Handle explicit numeric value. */ @@ -984,10 +984,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) arg_index = *ptr - '1'; ptr += 2; } + if (arg_index >= 9) + abort (); args[arg_index].type = Int; arg_count++; - if (arg_count > 9) - abort (); } else /* Handle explicit numeric value. */ @@ -1017,6 +1017,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) if ((int) arg_no < 0) arg_no = arg_count; + if (arg_no >= 9) + abort (); switch (ptr[-1]) { case 'd': @@ -1085,8 +1087,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args) abort(); } arg_count++; - if (arg_count > 9) - abort (); } } -- 2.47.2