PR27071, gas bugs uncovered by fuzzing

PR 27071 * config/obj-elf.c (elf_obj_symbol_clone_hook): New function. (elf_format_ops): Set symbol_clone_hook. * config/obj-elf.h (elf_obj_symbol_clone_hook): Declare. (obj_symbol_clone_hook): Define. * listing.c (buffer_line): Avoid integer overflow on paper_width set to zero.
2025-06-20 18:08:24 +08:00 · 2020-12-15 21:54:09 +10:30
parent 9f132af9e1
commit 7bed846687
4 changed files with 34 additions and 8 deletions
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@ -1,3 +1,13 @@
 2020-12-15  Alan Modra  <amodra@gmail.com>
 	PR 27071
 	* config/obj-elf.c (elf_obj_symbol_clone_hook): New function.
 	(elf_format_ops): Set symbol_clone_hook.
 	* config/obj-elf.h (elf_obj_symbol_clone_hook): Declare.
 	(obj_symbol_clone_hook): Define.
 	* listing.c (buffer_line): Avoid integer overflow on paper_width
 	set to zero.
 2020-12-14  Alan Modra  <amodra@gmail.com>
 	* testsuite/gas/elf/section27.s: Reorder .text, .data and .bss
--- a/gas/config/obj-elf.c
+++ b/gas/config/obj-elf.c
@ -2102,6 +2102,22 @@ elf_obj_symbol_new_hook (symbolS *symbolP)
 #endif
 }
 /* Deduplicate size expressions.  We might get into trouble with
   multiple freeing or use after free if we leave them pointing to the
   same expressionS.  */
 void
 elf_obj_symbol_clone_hook (symbolS *newsym, symbolS *orgsym ATTRIBUTE_UNUSED)
 {
  struct elf_obj_sy *newelf = symbol_get_obj (newsym);
  if (newelf->size)
    {
      expressionS *exp = XNEW (expressionS);
      *exp = *newelf->size;
      newelf->size = exp;
    }
 }
 /* When setting one symbol equal to another, by default we probably
   want them to have the same "size", whatever it means in the current
   context.  */
@ -3088,6 +3104,6 @@ const struct format_ops elf_format_ops =
 #endif
  elf_obj_read_begin_hook,
  elf_obj_symbol_new_hook,
-  0,
+  elf_obj_symbol_clone_hook,
  elf_adjust_symtab
 };
--- a/gas/config/obj-elf.h
+++ b/gas/config/obj-elf.h
@ -223,6 +223,11 @@ void elf_obj_symbol_new_hook (symbolS *);
 #define obj_symbol_new_hook	elf_obj_symbol_new_hook
 #endif
 void elf_obj_symbol_clone_hook (symbolS *, symbolS *);
 #ifndef obj_symbol_clone_hook
 #define obj_symbol_clone_hook	elf_obj_symbol_clone_hook
 #endif
 void elf_copy_symbol_attributes (symbolS *, symbolS *);
 #ifndef OBJ_COPY_SYMBOL_ATTRIBUTES
 #define OBJ_COPY_SYMBOL_ATTRIBUTES(DEST, SRC) \
--- a/gas/listing.c
+++ b/gas/listing.c
@ -508,17 +508,12 @@ buffer_line (file_info_type *file, char *line, unsigned int size)
 	fseek (last_open_file, file->pos, SEEK_SET);
    }
  /* Leave room for null.  */
  size -= 1;
  c = fgetc (last_open_file);
  while (c != EOF && c != '\n' && c != '\r')
    {
-      if (count < size)
+      if (++count < size)
 	*p++ = c;
      count++;
      c = fgetc (last_open_file);
    }
@ -536,7 +531,7 @@ buffer_line (file_info_type *file, char *line, unsigned int size)
  if (c == EOF)
    {
      file->at_end = 1;
-      if (count + 2 < size)
+      if (count + 3 < size)
 	{
 	  *p++ = '.';
 	  *p++ = '.';