PR25344, z80 disassembler recursion

PR 25344 * z80-dis.c (suffix): Don't use a local struct buffer copy. Peek at next byte to prevent recursion on repeated prefix bytes. Ensure uninitialised "mybuf" is not accessed. (print_insn_z80): Don't zero n_fetch and n_used here,.. (print_insn_z80_buf): ..do it here instead.
2025-06-17 16:05:56 +08:00 · 2020-01-06 08:52:39 +10:30
parent 01335edbac
commit 660e62b1d9
2 changed files with 40 additions and 29 deletions
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@ -1,3 +1,12 @@
 2020-01-06  Alan Modra  <amodra@gmail.com>
 	PR 25344
 	* z80-dis.c (suffix): Don't use a local struct buffer copy.
 	Peek at next byte to prevent recursion on repeated prefix bytes.
 	Ensure uninitialised "mybuf" is not accessed.
 	(print_insn_z80): Don't zero n_fetch and n_used here,..
 	(print_insn_z80_buf): ..do it here instead.
 2020-01-04  Alan Modra  <amodra@gmail.com>
 	* m32r-ibld.c: Regenerate.
--- a/opcodes/z80-dis.c
+++ b/opcodes/z80-dis.c
@ -713,55 +713,57 @@ static int
 print_insn_z80_buf (struct buffer *buf, disassemble_info *info);
 static int
-suffix (struct buffer *buf_in, disassemble_info *info, const char *txt)
+suffix (struct buffer *buf, disassemble_info *info, const char *txt)
 {
  struct buffer buf;
  char mybuf[TXTSIZ*4];
  fprintf_ftype old_fprintf;
  void *old_stream;
  char *p;
  buf_in->n_used++;
  buf = *buf_in;
  buf.n_fetch = 0;
  buf.n_used = 0;
  buf.base++;
  switch (txt[2])
    {
    case 'l': /* SIL or LIL */
-      buf.nn_len = 3;
+      buf->nn_len = 3;
      break;
    case 's': /* SIS or LIS */
-      buf.nn_len = 2;
+      buf->nn_len = 2;
      break;
    default:
-      /* unknown suffix */
+      abort ();
      return -1;
    }
  if (!fetch_data (buf, info, 1)
      || buf->data[1] == 0x40
      || buf->data[1] == 0x49
      || buf->data[1] == 0x52
      || buf->data[1] == 0x5b)
    {
      /* Double prefix, or end of data.  */
      info->fprintf_func (info->stream, "nop ;%s", txt);
      buf->n_used = 1;
      return buf->n_used;
    }
  old_fprintf = info->fprintf_func;
  old_stream = info->stream;
-  info->fprintf_func = (fprintf_ftype)&sprintf;
+  info->fprintf_func = (fprintf_ftype) &sprintf;
  info->stream = mybuf;
-  print_insn_z80_buf(&buf, info);
+  buf->base++;
  if (print_insn_z80_buf (buf, info) >= 0)
    buf->n_used++;
  info->fprintf_func = old_fprintf;
  info->stream = old_stream;
-  for (p = &mybuf[0]; *p && *p != ' ' && *p != '.'; ++p)
+  for (p = mybuf; *p; ++p)
-    ;
+    if (*p == ' ')
-
+      break;
-  if (*p == '.') /* suffix already present */
+  if (*p)
    {
-      info->fprintf_func(info->stream, "nop ;%s", txt); /* double prefix */
+      *p++ = '\0';
-      return buf_in->n_used;
+      info->fprintf_func (info->stream, "%s.%s %s", mybuf, txt, p);
    }
-
+  else
-  *p++ = '\0';
+    info->fprintf_func (info->stream, "%s.%s", mybuf, txt);
-  info->fprintf_func(info->stream, *p ? "%s.%s %s" : "%s.%s", mybuf, txt, p);
+  return buf->n_used;
  memcpy(&buf_in->data[1], buf.data, sizeof(buf.data)-1);
  buf_in->n_used += buf.n_used;
  buf_in->n_fetch += buf.n_fetch;
  return buf_in->n_used;
 }
 /* Table to disassemble machine codes without prefix.  */
@ -839,8 +841,6 @@ print_insn_z80 (bfd_vma addr, disassemble_info * info)
  struct buffer buf;
  buf.base = addr;
  buf.n_fetch = 0;
  buf.n_used = 0;
  buf.inss = 1 << info->mach;
  buf.nn_len = info->mach == bfd_mach_ez80_adl ? 3 : 2;
  info->bytes_per_line = (buf.inss & INSS_EZ80) ? 6 : 4; /* <ss pp oo nn mm MM> OR <pp oo nn mm> */
@ -853,6 +853,8 @@ print_insn_z80_buf (struct buffer *buf, disassemble_info *info)
 {
  struct tab_elt *p;
  buf->n_fetch = 0;
  buf->n_used = 0;
  if (! fetch_data (buf, info, 1))
    return -1;