[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/26698] New: out of bounds access in mc_unify_path

From: msebor at gmail dot com
Subject: [Bug binutils/26698] New: out of bounds access in mc_unify_path
Date: Thu, 01 Oct 2020 23:53:06 +0000


            Bug ID: 26698
           Summary: out of bounds access in mc_unify_path
           Product: binutils
           Version: 2.36 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: msebor at gmail dot com
  Target Milestone: ---

Compiling binutils/windmc.c with the top of trunk of GCC 11 on x86_64 triggers
the following warning:

src/binutils-gdb/binutils/windmc.c:927:10: warning: array subscript -1 is
outside array bounds of ‘char[9223372036854775807]’ [-Warray-bounds]
  927 |   if (hsz[-1] != '/' && hsz[-1] != '\\')
      |       ~~~^~~~
/src/binutils-gdb/binutils/windmc.c:924:9: note: referencing an object of size
between 2 and 9223372036854775807 allocated by ‘xmalloc’
  924 |   hsz = xmalloc (strlen (path) + 2);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~

The warning looks valid to me.  The function sets hsz to the result of
xmalloc() and then accesses hsz[-1] which is clearly before the beginning of
the allocated block:

atic const char *
mc_unify_path (const char *path)
  char *end;
  char *hsz;

  if (! path || *path == 0)
    return "./";
  hsz = xmalloc (strlen (path) + 2);
  strcpy (hsz, path);
  end = hsz + strlen (hsz);
  if (hsz[-1] != '/' && hsz[-1] != '\\')
    strcpy (end, "/");
  while ((end = strchr (hsz, '\\')) != NULL)
    *end = '/';
  return hsz;

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]