[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/26698] New: out of bounds access in mc_unify_path
|
From: |
msebor at gmail dot com |
|
Subject: |
[Bug binutils/26698] New: out of bounds access in mc_unify_path |
|
Date: |
Thu, 01 Oct 2020 23:53:06 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=26698
Bug ID: 26698
Summary: out of bounds access in mc_unify_path
Product: binutils
Version: 2.36 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: msebor at gmail dot com
Target Milestone: ---
Compiling binutils/windmc.c with the top of trunk of GCC 11 on x86_64 triggers
the following warning:
src/binutils-gdb/binutils/windmc.c:927:10: warning: array subscript -1 is
outside array bounds of ‘char[9223372036854775807]’ [-Warray-bounds]
927 | if (hsz[-1] != '/' && hsz[-1] != '\\')
| ~~~^~~~
/src/binutils-gdb/binutils/windmc.c:924:9: note: referencing an object of size
between 2 and 9223372036854775807 allocated by ‘xmalloc’
924 | hsz = xmalloc (strlen (path) + 2);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning looks valid to me. The function sets hsz to the result of
xmalloc() and then accesses hsz[-1] which is clearly before the beginning of
the allocated block:
atic const char *
mc_unify_path (const char *path)
{
char *end;
char *hsz;
if (! path || *path == 0)
return "./";
hsz = xmalloc (strlen (path) + 2);
strcpy (hsz, path);
end = hsz + strlen (hsz);
if (hsz[-1] != '/' && hsz[-1] != '\\')
strcpy (end, "/");
while ((end = strchr (hsz, '\\')) != NULL)
*end = '/';
return hsz;
}
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/26698] New: out of bounds access in mc_unify_path,
msebor at gmail dot com <=